Questions tagged [ddos]
A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.
629
questions
191
votes
5
answers
28k
views
I am under DDoS. What can I do?
This is a Canonical Question about DoS and DDoS mitigation.
I found a massive traffic spike on a website that I host today; I am getting thousands of connections a second and I see I'm using all ...
49
votes
7
answers
64k
views
How can I prevent a DDOS attack on Amazon EC2?
One of the servers I use is hosted on the Amazon EC2 cloud. Every few months we appear to have a DDOS attack on this sever. This slows the server down incredibly. After around 30 minutes, and ...
23
votes
9
answers
73k
views
Server under DDOS attack - How to find out IPs?
My server is under DDOS attacks and I want to block the IP that is doing it, what logs should I be looking for to determine the attacker's IP?
20
votes
5
answers
5k
views
How is it possible for the Root Name Servers to handle all DNS requests?
I was reading about DNS some days ago and learned how the requests are processed.
If you surf to www.example.com, then a request will go to the Root Name Servers to see who owns that .com address, ...
20
votes
1
answer
43k
views
What is an open DNS resolver, and how can I protect my server from being misused by hackers?
I don't have the strongest background in computer security, but yesterday one of my company servers was shut down by our host.
It's a server assigned a public IP where I host several web-service ...
18
votes
7
answers
5k
views
How can I protect SSH?
I check /var/log/secure and I have these logs:
Jul 9 13:02:56 localhost sshd[30624]: Invalid user admin from 223.196.172.1 port 37566
Jul 9 13:02:57 localhost sshd[30624]: Connection closed by ...
16
votes
3
answers
4k
views
Dealing with NTP reflection attacks in IPTables
We're dealing with an NTP reflection / amplification attack at our colocated servers. This question is specific to responding to NTP reflection attacks, and not directed at DDoS in general.
Here's ...
16
votes
9
answers
9k
views
Public Facing Recursive DNS Servers - iptables rules
We run public-facing recursive DNS servers on Linux machines. We've been used for DNS amplification attacks. Are there any recommended iptables rules that would help mitigate these attacks?
The ...
14
votes
2
answers
3k
views
Is it possible to have a secondary managed DNS provider to quickly delegate to when DDOS attack on our *primary* external DNS provider happens?
So our DNS provider, every so often, experiences DDOS attacks on their systems that causes our front-facing web sites to go down.
What are some options in terms of reducing dependency on a SINGLE ...
14
votes
8
answers
17k
views
bind: blackhole for invalid recursive queries?
I have a name server that's publicly accessible since it is the authoritative name server for a couple of domains.
Currently the server is flooded with faked type ANY requests for isc.org, ripe.net ...
12
votes
6
answers
95k
views
Tools for simulating DDoS attacks [closed]
I wanted to test my website if it can sustain strong DDoS's, but I don't know which tools could I use to simulate them in my website. What tools are used to simulate DDoS?
I found bonesi but it was ...
12
votes
3
answers
806
views
DNS down in Anonymous attack
As I'm writing this our company website and the web-service we developed are down in the big GoDaddy outage resulting from an Anonymous attack (or so says Twitter).
We used GoDaddy as our registrar ...
11
votes
1
answer
3k
views
Amplified reflected attack on DNS servers
The term Amplified reflected attack is new to me, and I have a few questions about it.
I've heard it mostly happens with DNS servers - is that true?
How do you protect against it?
How do you know if ...
11
votes
6
answers
933
views
DDoS. Are we that helpless? [duplicate]
With recent DDoS incidents related to wikileaks, I can't help but feel that pretty much all sites online are very vulnerable to such attacks. Visa, MasterCard (to name a few) have shut down because of ...
10
votes
4
answers
5k
views
Amazon EC2 bandwidth charges in case of unwanted incoming traffic(ddos/flood)?
What happens if my EC2 instance gets ddosed/flooded, which could potentially go up to tens of gigabytes an hour(and even more) of undesired incoming traffic, will i be charged for this traffic?
My ...
10
votes
3
answers
10k
views
Does "TARPIT" have any known vulnerabilities or downsides?
TARPIT can be used to waste an attacker's resources, thus slowing down their attacks and lowering their ability to attack other hosts... looks like a good idea.
It is provided as a Netfilter addon and ...
10
votes
2
answers
1k
views
Site has been under a massive DDOS attack for 5 weeks now
One of my sites has been getting attacked for over 5 weeks. Im currently employing serverorigin.com proxy services to fight it, since doing it on the server proved to be futile.
They tell me that the ...
9
votes
8
answers
22k
views
How to prevent a LOIC (DDOS) attack? [duplicate]
The program LOIC (in the news a lot the last days) causes a lot of damage. What can I do on my server to prevent this kind of attacks? Auto-block ip when receive a strange connection? Because mostly ...
9
votes
1
answer
11k
views
Apache logs flooded with connections - "(via ggpht.com GoogleImageProxy)"
My server was running on 100% CPU and looking at the Apache logs I saw hundreds of thousands of connections that looked like this:
10.190.45.31 - - [13/Mar/2014:15:29:02 +0000] "GET SOMETHING HTTP/1....
9
votes
2
answers
4k
views
Protecting against Keep-Dead Denial of service
i thought my server was safe with http-guardian but apparently not. Some smart arse keeps hitting my server with 'Keep-Dead' and causing it to crash.
I've looked through the logs but can't see ...
9
votes
4
answers
1k
views
Stopping a DOS attack
One of the sites I work with has recently started to get DoS'd. It started out at 30k RPS and now it's at 50k/min. The IP's are pretty much all unique, not in the same subnet, and are in multiple ...
8
votes
3
answers
2k
views
RedStation.com is heaven for ddos attackers, How to file complaint? [closed]
Sorry, I don't know where to open this subject.
This is not the first time we have faced with a massive DDOS attack from one of servers in RedStation.com and even after we had contacted with their ...
8
votes
3
answers
41k
views
iptables rules to counter the most common DoS attacks? [closed]
Recently I've got a lot of small scale DoS attacks. I am wondering what iptables rules should I use to counter the most common DoS attacks, and generally secure my web server.
The web server sports ...
8
votes
1
answer
11k
views
many graceful restarts in httpd error log?
Our server was down , and we restatred the services (nginx & httpd), and when i look at the logs, i've found these lines , there are so many Graceful restart requested, doing restart lines, whats ...
7
votes
1
answer
3k
views
measures to take against a dns amplification attack
I recently discovered that my server was being used as part of a DNS DDOS. Basically, my BIND setup allowed recursion, and it was used to attack a certain IP address using IP spoofing.
I took the ...
6
votes
6
answers
6k
views
lots of dns requests from China, should I worry?
I have turned on dns query logs, and when running "tail -f /var/log/syslog" I see that I get hundreds of identical requests from a single ip address:
Apr 7 12:36:13 server17 named[26294]: client 121....
6
votes
2
answers
18k
views
Stop DoS attacks with an IP tables rule?
I was wondering if I could prevent small (D)DoS attacks with a simple IP tables rule?
By small I mean that they are flooding my web server with about 400+ requests from one or two IP addresses. I ...
6
votes
1
answer
42k
views
How can I detect a DDoS attack using pfSense so I can tell my ISP who to block? [duplicate]
Last week my network was hit by a DDoS attack which completely saturated our 100 MBps link to the internet and pretty much shut down all the sites and services we host.
I understand (from this ...
6
votes
2
answers
3k
views
How do I understand my CPU usage on a DNS server?
I have read and understood Can you help me with my capacity planning?, but I'm not sure I understand what my next steps are in a DNS server scenario. I think my CPU loads are high or that I might be ...
6
votes
2
answers
2k
views
DDOS attack - How to prevent [duplicate]
Recently I read about Denial of Service attack on Amazon & PayPal. I am curious that how this is performed. These big companies must have huge servers, so DOS would require billions of bots to ...
6
votes
2
answers
3k
views
SYN Flood Advice
Today I've been dealing with a server suffering from what looked like a SYN flood attack. It was a bit of a rush to get the site back online, so we did these three steps to bring the service back to a ...
6
votes
1
answer
11k
views
/usr/bin/host being used in HTTP DDoS on Debian? [duplicate]
So I got an abuse complaint for one of my dedicated servers, running Debian 6.0
Sure enough, sometimes, top shows /usr/bin/host using a lot of CPU for no apparent reason, and netstat shows process ...
6
votes
5
answers
2k
views
DDoS Protection Services - are they good enough? [duplicate]
first of all, I understand that it's better to have DDoS protections on data center level. But our DC is not ready to provide good quality of protection. So we thinking about using some external DDoS ...
6
votes
1
answer
38k
views
Snort rules for syn flood / ddos? [duplicate]
Can someone provide me rules to detect following attack :
hping3 -S -p 80 --flood --rand-source [target]
I'm having problem with rules since packet comes from random source.
My current rules is :
...
6
votes
1
answer
3k
views
DDoS and Heroku [duplicate]
I use Heroku as my hosting solution. So, if some bad man attacks my site with DDoS, what should I do?
5
votes
3
answers
1k
views
100mb/s upgrade to 1gbps network - To Prevent DDOS [duplicate]
I have been under constant DDOS attack the last couple of weeks.
Now it seems my servers network is being flooded till it just doesn't have space anymore to receive and send normal packages.
I run ...
5
votes
3
answers
5k
views
DDOS using ntp server
I've heard about new kind of DDOS where ntp is used for reflection .
My questions are really simple :
Can you please give details on how they work and clarify? Since ntp is ran over UDP, I suppose ...
5
votes
2
answers
1k
views
Web site kills hard disk I/O, how to prevent?
The situation: I have a server, on which we have 2-3 projects. Starting not long ago, the server started hanging up (We could not connect to it by ssh, and the connected clients had to wait 20 minutes ...
5
votes
3
answers
562
views
Correct way to handle security threats to web server on budget [closed]
During our annual security review I was reminded of an incident earlier this year where we received a threat to our organizations web server. It was over a organization policy and threatened to DDoS ...
5
votes
4
answers
4k
views
Mitigate DDoS attack with HAProxy [duplicate]
We were targeted earlier today by a DDoS attack. There was 20x as many connections as normal on our load balancer (HAProxy), and all the backend nodes continued to go down during this attack.
System ...
5
votes
3
answers
2k
views
How can I block a specific type of DDoS attack?
My site is being attacked and is using up all the RAM. I looked at the Apache logs and every malicious hit seems to simply be a POST request on /, which is never required by a normal user.
So I ...
5
votes
3
answers
9k
views
What is a good way to detect DoS and DDoS in Fail2Ban?
I am configuring Fail2Ban on my Ubuntu web server to prevent it from being a victim of DoS / DDoS. I don't want to use Cloudflare because I have to route my DNS over and use their SSl cert.
...
5
votes
5
answers
4k
views
How can I defend against a DRDoS exploiting NTP server on an ESXi host?
Recently, we had some problems with one of our ESXi servers, caused by the NTP Server DRDoS Amplification Attack using ntpdc.
How do I configure the NTP server on ESXi to not be exposed to this DDoS ...
5
votes
3
answers
9k
views
How to block null/blank user-agents in IIS 7.5
We are going through a large scale DDOS attack, but it isn't the typical bot-net that our Cisco Guard can handle, it is a BitTorrent attack. This is new to me, so I am unsure how to stop it.
Here ...
5
votes
2
answers
170
views
DDoS attack case study - Korean election watchdog's site [closed]
Is it possible to break only some of a web site services using DDoS?
For example, disabling only the search feature of a specific website.
I raise this question following a controversy in South ...
5
votes
1
answer
189
views
How to minimise effect of mischievous, persistent POST requests
For a few months now one of our shared hosting servers has been persistently and constantly hammered by "POST /" requests from what must be hundreds of thousands of individual IPs. On a number of ...
4
votes
5
answers
3k
views
My server was reported to hoster abuse to perform ddos attacks. What should I do?
I do not see anything suspicious on the server (no netstat connections to remote 80 port), but I'm not a professional server admin (I'm a hardcore software developer). Please do not write obvious ...
4
votes
2
answers
960
views
Is it possible to find the actual source IP of a packet with a spoofed IP header?
I recently came under a DDoS attack. It was a SYN flood using spoofed IPs. Is it at all possible to trace the attack back to the actual sending server?
4
votes
6
answers
35k
views
How long do DDoS attacks last? [duplicate]
I realize the answer to this question will vary, which is why I'm asking it. If you've suffered a DDoS attack before - how long did it last?
Just trying to get an idea of how long we'll have to ...
4
votes
1
answer
36k
views
How to configure mod_reqtimeout in Apache2
I need to configure mod_reqtimeout in my Apache server v2.2.22 (in a linux machine). Problem is, I have absolutely no clue on how to do it.
I checked the Apache site on this module at this link but ...