Skip to main content

Questions tagged [ddos]

A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.

Filter by
Sorted by
Tagged with
191 votes
5 answers
28k views

I am under DDoS. What can I do?

This is a Canonical Question about DoS and DDoS mitigation. I found a massive traffic spike on a website that I host today; I am getting thousands of connections a second and I see I'm using all ...
Falcon Momot's user avatar
  • 25.4k
49 votes
7 answers
64k views

How can I prevent a DDOS attack on Amazon EC2?

One of the servers I use is hosted on the Amazon EC2 cloud. Every few months we appear to have a DDOS attack on this sever. This slows the server down incredibly. After around 30 minutes, and ...
cwd's user avatar
  • 2,793
23 votes
9 answers
73k views

Server under DDOS attack - How to find out IPs?

My server is under DDOS attacks and I want to block the IP that is doing it, what logs should I be looking for to determine the attacker's IP?
Ben's user avatar
  • 3,870
20 votes
5 answers
5k views

How is it possible for the Root Name Servers to handle all DNS requests?

I was reading about DNS some days ago and learned how the requests are processed. If you surf to www.example.com, then a request will go to the Root Name Servers to see who owns that .com address, ...
Rox's user avatar
  • 441
20 votes
1 answer
43k views

What is an open DNS resolver, and how can I protect my server from being misused by hackers?

I don't have the strongest background in computer security, but yesterday one of my company servers was shut down by our host. It's a server assigned a public IP where I host several web-service ...
JSideris's user avatar
  • 323
18 votes
7 answers
5k views

How can I protect SSH?

I check /var/log/secure and I have these logs: Jul 9 13:02:56 localhost sshd[30624]: Invalid user admin from 223.196.172.1 port 37566 Jul 9 13:02:57 localhost sshd[30624]: Connection closed by ...
Ali's user avatar
  • 191
16 votes
3 answers
4k views

Dealing with NTP reflection attacks in IPTables

We're dealing with an NTP reflection / amplification attack at our colocated servers. This question is specific to responding to NTP reflection attacks, and not directed at DDoS in general. Here's ...
Jeff Atwood's user avatar
  • 13.2k
16 votes
9 answers
9k views

Public Facing Recursive DNS Servers - iptables rules

We run public-facing recursive DNS servers on Linux machines. We've been used for DNS amplification attacks. Are there any recommended iptables rules that would help mitigate these attacks? The ...
David Schwartz's user avatar
14 votes
2 answers
3k views

Is it possible to have a secondary managed DNS provider to quickly delegate to when DDOS attack on our *primary* external DNS provider happens?

So our DNS provider, every so often, experiences DDOS attacks on their systems that causes our front-facing web sites to go down. What are some options in terms of reducing dependency on a SINGLE ...
Emmel's user avatar
  • 211
14 votes
8 answers
17k views

bind: blackhole for invalid recursive queries?

I have a name server that's publicly accessible since it is the authoritative name server for a couple of domains. Currently the server is flooded with faked type ANY requests for isc.org, ripe.net ...
Udo G's user avatar
  • 453
12 votes
6 answers
95k views

Tools for simulating DDoS attacks [closed]

I wanted to test my website if it can sustain strong DDoS's, but I don't know which tools could I use to simulate them in my website. What tools are used to simulate DDoS? I found bonesi but it was ...
Jürgen Paul's user avatar
  • 1,285
12 votes
3 answers
806 views

DNS down in Anonymous attack

As I'm writing this our company website and the web-service we developed are down in the big GoDaddy outage resulting from an Anonymous attack (or so says Twitter). We used GoDaddy as our registrar ...
Tal Weiss's user avatar
  • 223
11 votes
1 answer
3k views

Amplified reflected attack on DNS servers

The term Amplified reflected attack is new to me, and I have a few questions about it. I've heard it mostly happens with DNS servers - is that true? How do you protect against it? How do you know if ...
Mike Janson's user avatar
11 votes
6 answers
933 views

DDoS. Are we that helpless? [duplicate]

With recent DDoS incidents related to wikileaks, I can't help but feel that pretty much all sites online are very vulnerable to such attacks. Visa, MasterCard (to name a few) have shut down because of ...
xjq233p_1's user avatar
  • 243
10 votes
4 answers
5k views

Amazon EC2 bandwidth charges in case of unwanted incoming traffic(ddos/flood)?

What happens if my EC2 instance gets ddosed/flooded, which could potentially go up to tens of gigabytes an hour(and even more) of undesired incoming traffic, will i be charged for this traffic? My ...
Shinnok's user avatar
  • 349
10 votes
3 answers
10k views

Does "TARPIT" have any known vulnerabilities or downsides?

TARPIT can be used to waste an attacker's resources, thus slowing down their attacks and lowering their ability to attack other hosts... looks like a good idea. It is provided as a Netfilter addon and ...
user avatar
10 votes
2 answers
1k views

Site has been under a massive DDOS attack for 5 weeks now

One of my sites has been getting attacked for over 5 weeks. Im currently employing serverorigin.com proxy services to fight it, since doing it on the server proved to be futile. They tell me that the ...
user avatar
9 votes
8 answers
22k views

How to prevent a LOIC (DDOS) attack? [duplicate]

The program LOIC (in the news a lot the last days) causes a lot of damage. What can I do on my server to prevent this kind of attacks? Auto-block ip when receive a strange connection? Because mostly ...
user avatar
9 votes
1 answer
11k views

Apache logs flooded with connections - "(via ggpht.com GoogleImageProxy)"

My server was running on 100% CPU and looking at the Apache logs I saw hundreds of thousands of connections that looked like this: 10.190.45.31 - - [13/Mar/2014:15:29:02 +0000] "GET SOMETHING HTTP/1....
user967722's user avatar
9 votes
2 answers
4k views

Protecting against Keep-Dead Denial of service

i thought my server was safe with http-guardian but apparently not. Some smart arse keeps hitting my server with 'Keep-Dead' and causing it to crash. I've looked through the logs but can't see ...
user avatar
9 votes
4 answers
1k views

Stopping a DOS attack

One of the sites I work with has recently started to get DoS'd. It started out at 30k RPS and now it's at 50k/min. The IP's are pretty much all unique, not in the same subnet, and are in multiple ...
William's user avatar
  • 357
8 votes
3 answers
2k views

RedStation.com is heaven for ddos attackers, How to file complaint? [closed]

Sorry, I don't know where to open this subject. This is not the first time we have faced with a massive DDOS attack from one of servers in RedStation.com and even after we had contacted with their ...
Ehsan's user avatar
  • 247
8 votes
3 answers
41k views

iptables rules to counter the most common DoS attacks? [closed]

Recently I've got a lot of small scale DoS attacks. I am wondering what iptables rules should I use to counter the most common DoS attacks, and generally secure my web server. The web server sports ...
alfish's user avatar
  • 3,177
8 votes
1 answer
11k views

many graceful restarts in httpd error log?

Our server was down , and we restatred the services (nginx & httpd), and when i look at the logs, i've found these lines , there are so many Graceful restart requested, doing restart lines, whats ...
ɹɐqʞɐ zoɹǝɟ's user avatar
7 votes
1 answer
3k views

measures to take against a dns amplification attack

I recently discovered that my server was being used as part of a DNS DDOS. Basically, my BIND setup allowed recursion, and it was used to attack a certain IP address using IP spoofing. I took the ...
Waleed Hamra's user avatar
6 votes
6 answers
6k views

lots of dns requests from China, should I worry?

I have turned on dns query logs, and when running "tail -f /var/log/syslog" I see that I get hundreds of identical requests from a single ip address: Apr 7 12:36:13 server17 named[26294]: client 121....
nn4l's user avatar
  • 1,346
6 votes
2 answers
18k views

Stop DoS attacks with an IP tables rule?

I was wondering if I could prevent small (D)DoS attacks with a simple IP tables rule? By small I mean that they are flooding my web server with about 400+ requests from one or two IP addresses. I ...
Josh Foskett's user avatar
6 votes
1 answer
42k views

How can I detect a DDoS attack using pfSense so I can tell my ISP who to block? [duplicate]

Last week my network was hit by a DDoS attack which completely saturated our 100 MBps link to the internet and pretty much shut down all the sites and services we host. I understand (from this ...
Josh's user avatar
  • 9,258
6 votes
2 answers
3k views

How do I understand my CPU usage on a DNS server?

I have read and understood Can you help me with my capacity planning?, but I'm not sure I understand what my next steps are in a DNS server scenario. I think my CPU loads are high or that I might be ...
Andrew B's user avatar
  • 33.2k
6 votes
2 answers
2k views

DDOS attack - How to prevent [duplicate]

Recently I read about Denial of Service attack on Amazon & PayPal. I am curious that how this is performed. These big companies must have huge servers, so DOS would require billions of bots to ...
ashmish2's user avatar
  • 375
6 votes
2 answers
3k views

SYN Flood Advice

Today I've been dealing with a server suffering from what looked like a SYN flood attack. It was a bit of a rush to get the site back online, so we did these three steps to bring the service back to a ...
Coops's user avatar
  • 6,125
6 votes
1 answer
11k views

/usr/bin/host being used in HTTP DDoS on Debian? [duplicate]

So I got an abuse complaint for one of my dedicated servers, running Debian 6.0 Sure enough, sometimes, top shows /usr/bin/host using a lot of CPU for no apparent reason, and netstat shows process ...
Moritz von Schweinitz's user avatar
6 votes
5 answers
2k views

DDoS Protection Services - are they good enough? [duplicate]

first of all, I understand that it's better to have DDoS protections on data center level. But our DC is not ready to provide good quality of protection. So we thinking about using some external DDoS ...
Tonik's user avatar
  • 61
6 votes
1 answer
38k views

Snort rules for syn flood / ddos? [duplicate]

Can someone provide me rules to detect following attack : hping3 -S -p 80 --flood --rand-source [target] I'm having problem with rules since packet comes from random source. My current rules is : ...
NoodleX's user avatar
  • 183
6 votes
1 answer
3k views

DDoS and Heroku [duplicate]

I use Heroku as my hosting solution. So, if some bad man attacks my site with DDoS, what should I do?
user avatar
5 votes
3 answers
1k views

100mb/s upgrade to 1gbps network - To Prevent DDOS [duplicate]

I have been under constant DDOS attack the last couple of weeks. Now it seems my servers network is being flooded till it just doesn't have space anymore to receive and send normal packages. I run ...
Mr.Boon's user avatar
  • 1,481
5 votes
3 answers
5k views

DDOS using ntp server

I've heard about new kind of DDOS where ntp is used for reflection . My questions are really simple : Can you please give details on how they work and clarify? Since ntp is ran over UDP, I suppose ...
user avatar
5 votes
2 answers
1k views

Web site kills hard disk I/O, how to prevent?

The situation: I have a server, on which we have 2-3 projects. Starting not long ago, the server started hanging up (We could not connect to it by ssh, and the connected clients had to wait 20 minutes ...
Taras Voinarovskyi's user avatar
5 votes
3 answers
562 views

Correct way to handle security threats to web server on budget [closed]

During our annual security review I was reminded of an incident earlier this year where we received a threat to our organizations web server. It was over a organization policy and threatened to DDoS ...
lswim's user avatar
  • 183
5 votes
4 answers
4k views

Mitigate DDoS attack with HAProxy [duplicate]

We were targeted earlier today by a DDoS attack. There was 20x as many connections as normal on our load balancer (HAProxy), and all the backend nodes continued to go down during this attack. System ...
Matt Beckman's user avatar
  • 1,522
5 votes
3 answers
2k views

How can I block a specific type of DDoS attack?

My site is being attacked and is using up all the RAM. I looked at the Apache logs and every malicious hit seems to simply be a POST request on /, which is never required by a normal user. So I ...
Mark's user avatar
  • 367
5 votes
3 answers
9k views

What is a good way to detect DoS and DDoS in Fail2Ban?

I am configuring Fail2Ban on my Ubuntu web server to prevent it from being a victim of DoS / DDoS. I don't want to use Cloudflare because I have to route my DNS over and use their SSl cert. ...
John Doe's user avatar
  • 365
5 votes
5 answers
4k views

How can I defend against a DRDoS exploiting NTP server on an ESXi host?

Recently, we had some problems with one of our ESXi servers, caused by the NTP Server DRDoS Amplification Attack using ntpdc. How do I configure the NTP server on ESXi to not be exposed to this DDoS ...
fefe's user avatar
  • 367
5 votes
3 answers
9k views

How to block null/blank user-agents in IIS 7.5

We are going through a large scale DDOS attack, but it isn't the typical bot-net that our Cisco Guard can handle, it is a BitTorrent attack. This is new to me, so I am unsure how to stop it. Here ...
Jeremy Boyd's user avatar
5 votes
2 answers
170 views

DDoS attack case study - Korean election watchdog's site [closed]

Is it possible to break only some of a web site services using DDoS? For example, disabling only the search feature of a specific website. I raise this question following a controversy in South ...
Wonil's user avatar
  • 155
5 votes
1 answer
189 views

How to minimise effect of mischievous, persistent POST requests

For a few months now one of our shared hosting servers has been persistently and constantly hammered by "POST /" requests from what must be hundreds of thousands of individual IPs. On a number of ...
Richard Maynard's user avatar
4 votes
5 answers
3k views

My server was reported to hoster abuse to perform ddos attacks. What should I do?

I do not see anything suspicious on the server (no netstat connections to remote 80 port), but I'm not a professional server admin (I'm a hardcore software developer). Please do not write obvious ...
Nikolay R's user avatar
  • 143
4 votes
2 answers
960 views

Is it possible to find the actual source IP of a packet with a spoofed IP header?

I recently came under a DDoS attack. It was a SYN flood using spoofed IPs. Is it at all possible to trace the attack back to the actual sending server?
Rob's user avatar
  • 2,453
4 votes
6 answers
35k views

How long do DDoS attacks last? [duplicate]

I realize the answer to this question will vary, which is why I'm asking it. If you've suffered a DDoS attack before - how long did it last? Just trying to get an idea of how long we'll have to ...
sbuck's user avatar
  • 391
4 votes
1 answer
36k views

How to configure mod_reqtimeout in Apache2

I need to configure mod_reqtimeout in my Apache server v2.2.22 (in a linux machine). Problem is, I have absolutely no clue on how to do it. I checked the Apache site on this module at this link but ...
Riju Mahna's user avatar

1
2 3 4 5
13