DDOS, sigh!

[spr]

My site has been down for almost 24 hours, cant even do anything (well, I did 1 thing: install the DOS-Deflate script, doesnt help much tho). This is the biggest and longest DDOS attack on the site so far..... Some people need to get a life.

(Im not here to complain, I understand Jpc cant do much to help. Just feel bored.)

[Vin DSL]

Um...

I assume this is in Atlanta...

What server are you on, and at what time of day does this take place... or is it a sustained attack?

I've recently been moved to Atlanta, and I swear... at certain times of day, I could swear a DDOS is taking place, based on apriori knowledge. That is, the server is mad slow, but loads are like .03 or whatever, e.g. it's sitting idle. This is the hallmark of DDOS -- getting tied up with HTTP requests that do nothing but deny service.

[spr]

Call me a noob but I dont know how JaguarPC name their server, venus and whatsoever *_*. They never told me the name of the server Im on, and erm I didnt really care enough to try to find out.

Anyway, the Apache server has around 150 - 200 connections since yesterday, and the site just simply...gone. I can even guess who has been doing that, but that doesnt help much, does it? This guy or group of people( or kids?) have been going hacking/attacking quite a lots of sites, and my site suffer at least 2 attacks/month from them (Oct up time: 93.174%). But this is by far the longest down time.

Actually, they got my admin password (using trojan) a few days ago, I realized that quite fast so nothing so bad happened. Then they got 1 of my forum's supermod pass, they deleted everything, I have JaguarPC restored the database for me. And right after the site goes back up we suffer this attack till now. They seem to really want to bring us down this time.

BTW, anyone knows if JaguarPC's Managed dedicated server plans have any affordable DDOS monitor service or something like that? (not the 999/month I saw on some sites, just cant afford that)

[mattsiegman]

Who did you piss off?

[spr]

I would feel better if I did piss them off, in fact I dont know them in real life, I have never had any conversation on the net or real life with them.

[mattsiegman]

that sucks, do you know who's doing it by any chance?

[Vin DSL]

that sucks, do you know who's doing it by any chance?

Doesn't really matter...

If it keeps up, 'spr' will get the boot!

This is SOP at most web hosts!

[spr]

Whoever it is, this is really irritating to me (and probably the host too).
Just a moment ago:
"The remote system 211.21.9.90 was found to have exceeded acceptable
login failures on vps.***.***; there was 125 events to the
service sshd. As such the attacking host has been banned from further
accessing this system. For the integrity of your host you should investigate
this event as soon as possible."

Err, well...Im taking the server down for a while.

[mattsiegman]

maybe you could just block that IP completely from accessing your server with the firewall?

I don't exactly know how, but I'm sure it can be done.

[spr]

I have the firewall and brute-force detector installed, and have received like 10 warnings today. But the guys in the support team said that's okie and normal so I may just leave it that way...

[spr]

BTW, does anyone know how they attack a site?
I am assuming they send requests to a specific file on the site such as index.php?

[Ron]

I wrote this earlier and decided against posting it, but now....

I not sure we're talking about a DDoS or any kind of DoS attack; that would have tens/hundreds/thousands of millions of attacks.

Sounds like someone is trying to hack into your root account using, at best, a brute force approach. This happens all the time.

Is this what you mean? That someone keeps trying to get into your root account?

[spr]

Both, someone is trying to brute-force the root account + sending a huge amount of requests to the site to kill the server. It cant be normal when you have 500+ guests users on the forum board just continously request the index page.

[Ron]

That's painful.

Have you checked your logs to see if you've been slash-dotted or something? See where the referrals are coming from?

How about changing index.php to index2.php, and setting up a fake index.php file in the forum's root directory, with just a link to index2.php. The fake index.php will also have code in it to check the referrer string and if it (partially) matches your forum's URL will automatically redirect to index2.php.

When your human visitors to anything that brings them back to the (fake) index.php it will first check the referrer string. If it's a match it will send them there. If not it will give the manual link to index2.php.

When the bots come-a-callin', they won't be smart enough to click the link (especially if it is someone just using spoofed IPs- they NEVER see the page you present).

Another approach would be to substitute every occurrence of "index." in phpBB with "index2.", but only when it was referring to the URL, kinda tricky to do that quickly.

Unfortunately, if there's really someone out to get you and they come back to your site to see what damage they're causing, they'll know to change their attack to index2.php.

But at least you'll know if someone's after you, of if you've just been slash-dotted or something something else.

Good luck...

[spr]

I even changed the folder, and hence dodged the attacks for several hours, then the guy got me again. Im pretty sure that's someone out there is going all out just to kill off the site. Im working on the script that will automatically rename the folde + let the real users know when being attacked.