Doss Attack Help

[chad101]

Last night I was unable to login to WHM or SSH on my new DD server. I went to the admin panel Layered Technologies provides and noticed my bandwidth graph had skyrocketed. I contacted Layered Tech and this was the response I received.

Either you can:

1) Have the server disconnected until the DoS attack ceases.

2) Bind the server to your next available IP.

One, I don’t want the server disconnected. Two, how am I supposed to “bind the server to the next available IP”? I cannot login to SSH! What should I do to prevent these doss attacks? What can I do when someone hits the server and prevents me from loging into SSH?

 

[NightStorm]

If your Datacenter does not offer proper mitigation for DDoS attacks (example would be Ev1's Fireslayer Firewall), then about your only option once it starts is to, as they said... ride it out, or change IPs. Since changing IPs is not really an option for you, since you can't connect to the server in the first place, you sort of run out of options.
The problem you're facing is not a processor-based issue where the bots overload the CPU by causing your server to mass-spawn sql and httpd processes... you're dealing with a bandwidth issue... the issue being that the attack takes it all up.
My personal suggestion would have to be to start shopping around for a Datacenter that will actually help to block DDoS attacks against your server before it even reaches your router. Otherwise, you simply place yourself at the mercy of the attacker, until such a time as the datacenter decides to bring themselves into the 21st century.

 

[rsaylor]

Being you are not able to access the server ask your provider to re-subnet the server. All NOC's should be able to do that, some might charge a fee.

 

[spiff06]

Last night I was unable to login to WHM or SSH on my new DD server.

Same issue here! No WHM, no SSH, but FTP/Exim/HTTP work fine. Is it a DDos attack targeting these specific ports? I thought DDos would steal all the bandwidth, including that of HTTPS and SSH!

[EDIT] Never mind, looks like it was a runaway cron/PHP process not timing out. Still I wonder why this would affect HTTPS/SSH, but not HTTP, Exim or FTP.

 

[NightStorm]

Only sometimes, actually. DDoS can be used for all sorts of annoying things. To saturate bandwidth, or to cause massive server load and essentially cause it to "loose" the internet. The high load is usually caused by mass open connection requests to a specific port, like a mass brute force on SSH, or FTP, or sending thousands of bots to query a MySQL-based webpage hundreds of times. Bandwidth saturation is simply sending so much "noise" to the server that its connection is maxed out. SYN, UDP, and ICMP are notorious for this, and it won't matter what port they target in this case as it's only meant to tie up the bandwidth.
A lot of kiddies won't even care if the server goes completely offline, as they know that most datacenters place a monthly limit on the ammount of traffic a website can receive, and will simply try to push the server over that limit... thereby causing a highly-overpriced penalty for overages. They will do this with single websites as well, using much the same tactic... find a large file or download, and simply have their bots query that same file over and over until, bwammo, suspended city.
The last example can be somewhat controlled through systems like mod_evasive and bandwidth throttling (some download modules offer this, otherwise you may have to look into third-party systems like Squid). Even then, it's only good for so long... 2000 bots will cripple your servers bandwidth whether you have mod_evasive and bandwidth throttling in place or not. The other examples, sadly, can only be blocked by the datacenter at their primary router. As I mentioned, the Fireslayer firewall that is used by Ev1 is a great example of this. It monitors packets at a higher level than your server, and will engage when it detects a flood coming in. And what's an added bonus is that most of these systems kick in before your server's switch, so any excess bandwidth from the attack doesn't get added to your total.
If your Datacenter is not willing to work with you to help prevent these occurances (the off-site ones, that is) and they themselves are not properly protected from DDoS, then you should probably start peeking at the competition and see what they have to offer. There are literally hundreds of Datacenters out there, and it's a heavily competing market... it shouldn't be hard to find the same, or even a better plan than the one you are on now, but also have the added bonus of DDoS filtering.

 

[chad101]

awesome, i installed mod_evasive and api firewall. Will Fireslayer firewall work w/ API firewall or will they conflict?

 

[NightStorm]

Fireslayer is something only offered at Ev1 (maybe ThePlanet now too, since the merger took place). It's a top-level Firewall... it catches packets as they enter the Datacenter, long before it gets to your server. So the chance of any conflict is impossible, due to the difference of at least several hundred feet of cable. Basically, it makes sure that during a DDoS that would normally consume all your available bandwidth, you can still reach your sites and services... your server is only affected for the first second or two of the attack.
Be warned that with mod_evasive, the user is still successfully connecting to your server, and is still successfully using up some bandwidth... especially with custom error pages in place. All it does is keep them from reaching the actual site... they are instead forwarded to the error page. And any on-server firewall is only good so long as you have the available bandwidth to filter it anyway. It's nothing these days to encounter a botnet that can pump out over 500 mb/s in traffic. If your line can't carry that sort of noise, then any firewall on that server, even with all the best settings in the world, won't be able to keep that server online.
Any true DDoS would need to be captured and filtered by your Datacenter. And if LayeredTech isn't willing to work with you, then you're paying too much for the service you're not getting.

 

[chad101]

makes sense. My problem is I'm having a hard time finding another company who offers DD servers at the price i'm paying. For $115 a month i have this...

OS: CentOS 3.x
Hardware: AMD Sempron 2600/1024MB/200GB
Control Panel: cPanel w/ RVSkins + Fantastico

The setup fee was only 19 bucks. and most datacenters want 99.99 alone for the setup fee

 

[NightStorm]

From that, you would have to review how much time your server spends unreachable due to the datacenter's unwillingness to properly protect the machines in their building from a DDoS attack.
As I mentioned, there are dozens of datacenters out there who will due everything they can to assure that your server stays online, even when an attack is targetted at it... and from that list, there are many who will not even put the bandwidth used in a DDoS on your servers monthly total. If you get hit by a flood at your current host, do they credit you for the bandwidth you are going through during these attacks?

 

[MMarko]

There is price that you have to pay for quality. Nothing much you can do about it...