There is a hacker who is mad at us, and has started a DDOS attack against us. I think he is a script-kiddie, using tools like DarkComet; the attack is probably simple.
I host a server on my PC. The server is on my public IP. I am using a router. The server does have a port forwarded for people to connect. There is a proxy and stuff, but I dont know how to set it up
The server is popular, and I do not want to shut it down.
Is there a way for me to stop the attack, or even just delay it?
The best way to deal with a DDoS is to start as far away from your connection as possible; you want to cut off such an attack as close to the source as possible.
First, find out the IP addresses being used, whois them, and talk to the ISP on the far end. They might not be able to help if they're in a foreign country, or spread all over the world, but if it's an isolated region, you might be in luck.
If that is a dead-end, you can ask your ISP to provide a black hole for a range of IPs. Most consumer-grade accounts won't have this option, but it doesn't hurt to ask. Unless, of course, you're violating the TOU (Terms of Use) for that provider by running a server at all. You'd be admitting to using their connection in a way they don't like. They could decide to shut you down.
If you have a dynamic IP address, you can try pulling out the battery and power cord of your modem/router (the ISP-connected one, not any internal one you may have), and let it sit a few minutes. Hopefully, you'll renew with a new IP address and you can just update your DNS. It'll take a while for the DDoS to realize you've moved, although your legitimate customers will have the same problem. It will sort itself out over a few minutes/hours, but you might be better off in the end.
If you can't get down to getting ISP support or changing your IP address, you'll need a firewall. Go to your local store and buy a nice hardware firewall if you can. One with drop rules specific to traffic types/IP addresses/etc. It'll cost you dearly, but you can configure the firewall to drop all suspicious traffic. The benefit here is that most connections have a much smaller upstream cap than a downstream cap, so by dropping packets, you save your upstream bandwidth (going to your visitors) for actual page visits and not pings, naks, 404s, and whatever else might be going on.
You can try a software firewall but it has to be a good one. Windows Firewall just isn't going to cut it here. You need something like Linux, where you can configure drop rules on the IPs that are bombarding you. You'll still be using a lot of downstream bandwidth to your network, but your server will be able to take a breather while your other system takes the heat.
You might also just set up another virtual server on your server, with a single file that redirects (302) from the default port 80 or 443 to a non-standard port, and set up your services there. Normal browsers will get redirected to the new service without too much hassle on next page load, while the bots will probably continue hammering away on the default port. A simple HTTP redirect costs a lot less bandwidth than full-blown page loads, so it might reduce the effects of the attack. It really depends on how intelligent the DDoS attack scripts are. They might simply harmlessly bounce of the 302, which means they'd have to massively scale up their attack.
Finally, if everything else fails, just turn off your server for 10 minutes and see what happens. The DDoS scripts might get bored and wander off (not likely, but it's worth a shot). If you are hosting your own server on a consumer-grade connection, by the way, it's time to upgrade. Consumer-grade packages are not suitable for hosting, because they have very small upstreams (relatively) and little to no support included for DDoS, DNS, mail servers, and other usual problems.
Fifteen IP addresses is a relatively small number. You could block those using firewall software or hardware. If he is using a VPN or proxy server service that makes it look like the source IP is from address space belonging to an entity in Belgium and you don't expect any legitimate traffic to come from there, you could block the entire address range allocated to that entity at least for a period of time. There's always a risk that you might block some legitimate traffic as well, but that risk may be outweighed by the need to make your server accessible to other legitimate users.
E.g., suppose I see 218.65.30.38 as an attacking IP address, which is actually an address from which I've seen someone try to break into one of my own servers by attempting to guess a password. I could first go to the American Registry for Internet Numbers (ARIN) website at http://arin.net. In the "Search whois" field, I'd put 218.65.30.38, which would reveal that the address range 218.0.0.0 - 218.255.255.255 is assigned by another Regional Internet Registry (RIR), in this case the RIR is the Asia Pacific Network Information Centre (APNIC), the organization that assigns IP address blocks for that region. So then I could go to the APNIC site at http://www.apnic.net and put 218.65.30.38 in the "Whois search" field there. That tells me that the 218.64.0.0 - 218.65.127.255 block is assigned to China Telecom. If I don't expect any legitimate traffic to the server from China, I can just block the entire address range 218.64.0.0 - 218.65.127.255, so if the attacker comes from 218.65.127.58, instead of 218.65.30.38, he still is blocked. That technique may not work for you depending on the VPN service provider or proxy server service he is using, but it is something you could consider, if you know, for instance, that all of your legitimate traffic is from Canada. Even then it might become like a whack-a-mole game for awhile depending on how global a network the proxy/VPN service provider may have, if the attackers can switch to a VPN or proxy server operated by the provider in another country and realize quickly that they are being blocked if they use a server in a particular country, but if they are script kiddies they may not realize that.
Alternatively, if you are operating a website, but the DDOS traffic is some other type of traffic, i.e., not HTTP/HTTPS traffic to port 80 or 443, then you might be able to block that traffic prior to your server at a firewall you manage, if there is clearly no legitimate need for any external system to communicate with your server on the ports or using the protocols that the attackers are using.
I'd also suggest looking up what organization/company has been assigned IP addresses being used by the attackers; you can use the technique I mentioned above or just go to a website that provides whois services. E.g., you could use the Whois Lookup. It is possible that the contact information you find there won't identify the VPN or proxy server service provider, since the organization assigned the address space by the RIR may have doled out smaller chunks of the address space to others, such as a company providing the VPN or proxy server service, but you could attempt to contact the organization and notify them of the issue. If you can identify the proxy server/VPN provider and can find contact information from their website, a legitimate provider should look with disfavor on any customer using their service for such attacks. Many will state in their terms of service that using their service for such nefarious activities is a violation of their terms of service subjecting the malefactor to an immediate termination of his account and loss of any funds he has already spent for the service.
If he is using the DarkComet RAT to control PCs belonging to individual users, looking up the IP addresses through a whois search should yield the ISP. Contacting the ISP may result in the ISP blocking all network access from the infected system and would, hopefully, result in the user learning someone else can remotely control his or her system and taking measures to have the system disinfected.
