Change Server IP Addresses because of DDOS Attacks

[CoolMike]

Hi

We had in the last days some very ugly DDOS attackes and need to change the Server IP adresses. What's the best way to go, to have as less downtime as possible? We are using 2 IPs on this server, both have shared hosting customers and some resellers. I have the following changes in my mind:

- Change Serverip under "General Settings"
- Change Cpanel License for the new IP
- Use the "Change IP Wizzard" in WHM to change the IP for all the accounts
- correct the IP's of the Nameserver in WHM
- correct the IP's of the Nameserver at the Domain registrar

The questions is, do I miss something and which would be the right order?

Will there be any downtime?

Michael

 

[AndyReed]

We had in the last days some very ugly DDOS attackes and need to change the Server IP adresses. What's the best way to go, to have as less downtime as possible?

The best way is to get a good hardware based firewall such as Cisco Guard or Juniper Netscreen 50. What makes you sure that the DDoS attack is targeting your IPs and not your hostname(s). We had seen some DDoS attacks targeting the hostname. In addition, are you sure that your server is under DDoS attack? If your server is under DDoS attack, your server will be down. Just in case, you can read about different forms of attack at:
http://www.servertune.com/kbase/security/attacks.html

 

[CoolMike]

We are using already a cisco PIX 515 firewall and the firewall is so overloaded, that the whole network is not reachable anymore. We had already a security company checking our firewall configuration, but they did not find the reason yet. When we bypass the firewall everything is working and chirpys software firewall is blocking the IP Adresses on this server as soon more then 200 conections from the same ip is established.

The attack is comming from a lot of different IP addresses around the world. Some IP's have more then 2000 connections to this one server.

According to the logfiles, the attack is against the IP address and not a hostname.

Michael

 

[brianoz]

According to the logfiles, the attack is against the IP address and not a hostname.

That doesn't sound right ....

Which logfile were you looking at? Most logfiles log only the IP address, the only way you can know an attack is specifically against an IP is by checking against DNS lookups, and you can't check that unless you have specifically turned on DNS logging.

 

[CoolMike]

It's the access log on the server and the firewall log, but you fully right, I would not be able to find out if it is the hostname or the ip address.

But in this case I don't see a way to find out if it is the hostname or the IP, right?

Maybe the change of the serverip will not solve the problem, but there is at least a chance.

Michael

 

[brianoz]

If you know which IP is being attacked, you can try the following strategy. Take all the domains on the IP being attacked and spread them out over a range of IPs. Leave no domains on the IP being attacked. Then, watch to see if the attack switches to a new IP - it will be one of the domains in the group on that IP. Repeat this process with the domains on the new IP being attacked until you know which domain. You should be able to find the domain in 12 hours or so with this process - maybe less.

You should set the TTLs down to 1200 or so during the process to accelerate finding the IP being attacked. Note that you may get some residual attack on the original IP for a while as the old DNS entries time out.

Kind of a primitive technique, and there are some other things you can do, such as turn on named logging, then watch for a name resolution followed by a new attack source. This takes some knowledge though and I've never done it in practice although I know some do.

 

[IPSecureNetwork]

DDoS

Buddy ... the cisco pix is not a good firewall to stop any DDoS attack you need two things
first a good firewall with Traffic analizer .. like netzentry or Cisco Guard this firewalls will analyze your traffic separete the good traffic of the bad traffic .. but is not all the job.. the second things you need is a good rules from the box line. good rules to stop the DDoS based services attacks... a good way to limit the attacks is limit the rate connections to special ports.. like 80 - 110 - 443 - 3306 etc. but .. all depends in first way from your datacenter to implementate the fist step.

good luck with your issue.

if you need a good datacenter with this kind of protections let me know . good luck.°!

 

[katmai]

first of all i would recommend a datacenter with a good ddos filtering protection. that is the first step, i mean if the ddos is filling up your pipe, there is nothing much you can do because you simply can't handle all that traffic.

getting the servers in a ddos protected network with good peering, that should pretty much do the trick, and the cash you already spent on routers and firewalls, could go for some other use

 

[tweakservers]

you may try with brianoz suggestions on spreading those domains into different IP address as the DDoS might be targetting one of your domain. Changing the share IP is not a good way as if the attack is going to your hostname. You may wish to run a tcpdump on your server's network traffic as well.