How to Stop DDOS Attacks or Protect my CPanel Server from DDOS Attacks?

piyushmaheswari

Well-Known Member
Apr 18, 2020
74
2
8
India
cPanel Access Level
Root Administrator
Hello Dear all buddies !
Currently DDOS is continuously going on my server
DDOS sucked my server .
Someone doing ddos on UDP ports and due to this HTTP shows Connection was reset by peer issue and this is the main problem when someone opens CPanel , whm or their site then they face Connection was reset issue and sometime while connecting to SSH I also see a connection was reset by peer issue.
Let me tell what is happening to me :
Bro , Everyday at 5:00 - 5:15 PM ( IST ) my server goes down.
Before 5 - 5:15 PM all are working fine , Server is Pinging , HTTP working fine , TCP Ports are connected , UDP Ports shows Connection refused ( I checked these all at check-host.net ).
But after 5:00 - 5:15 suddenly server stopped pinging , HTTP , UDP and TCP Ports shows Connection timed out , sites , Cpanels , WHMs shows Connection timed out and after some minutes server started pinging , TCP Ports are connected but UDP Ports shows opened or Filtered ( as I told that before 5-5:15 PM UDP ports shows Connection refused ) but HTTP shows Connection was reset by peer.
means When UDP ports shows Connection refused then HTTP works fine but when UDP Ports shows Opened or Filtered then HTTP shows Connection was reset by peer.
I think someone doing ddos .
I asked many peoples , they said that it is a ddos attack.

When I asked my Server Provider then they given me this packages -

Direction IN
Internal [ My Server IP ]
Threshold Packets 200.000 packets/s
Sum 60.276.000 packets/300s (200.920 packets/s), 24.820 flows/300s (82 flows/s), 75,310 GByte/300s (2.056 MBit/s)
External 118.189.74.183, 160.000 packets/300s (533 packets/s), 40 flows/300s (0 flows/s), 0,189 GByte/300s (5 MBit/s)
External 162.214.66.153, 152.000 packets/300s (506 packets/s), 37 flows/300s (0 flows/s), 0,166 GByte/300s (4 MBit/s)
External 50.230.12.203, 152.000 packets/300s (506 packets/s), 37 flows/300s (0 flows/s), 0,160 GByte/300s (4 MBit/s)
External 192.101.136.19, 146.000 packets/300s (486 packets/s), 42 flows/300s (0 flows/s), 0,174 GByte/300s (4 MBit/s)
External 213.91.181.170, 138.000 packets/300s (460 packets/s), 43 flows/300s (0 flows/s), 0,192 GByte/300s (5 MBit/s)
External 216.134.231.254, 134.000 packets/300s (446 packets/s), 34 flows/300s (0 flows/s), 0,176 GByte/300s (4 MBit/s)
External 65.123.148.114, 126.000 packets/300s (420 packets/s), 37 flows/300s (0 flows/s), 0,172 GByte/300s (4 MBit/s)
External 195.49.114.40, 116.000 packets/300s (386 packets/s), 38 flows/300s (0 flows/s), 0,162 GByte/300s (4 MBit/s)
External 192.67.164.102, 112.000 packets/300s (373 packets/s), 32 flows/300s (0 flows/s), 0,156 GByte/300s (4 MBit/s)
External 200.54.229.146, 112.000 packets/300s (373 packets/s), 39 flows/300s (0 flows/s), 0,155 GByte/300s (4 MBit/s)
External 50.235.182.75, 104.000 packets/300s (346 packets/s), 41 flows/300s (0 flows/s), 0,145 GByte/300s (3 MBit/s)
External 202.29.153.111, 104.000 packets/300s (346 packets/s), 36 flows/300s (0 flows/s), 0,143 GByte/300s (3 MBit/s)
External 185.204.191.100, 104.000 packets/300s (346 packets/s), 28 flows/300s (0 flows/s), 0,128 GByte/300s (3 MBit/s)
External 82.220.2.39, 102.000 packets/300s (340 packets/s), 43 flows/300s (0 flows/s), 0,142 GByte/300s (3 MBit/s)
External 79.174.191.25, 102.000 packets/300s (340 packets/s), 36 flows/300s (0 flows/s), 0,140 GByte/300s (3 MBit/s)
External 203.158.218.88, 100.000 packets/300s (333 packets/s), 38 flows/300s (0 flows/s), 0,138 GByte/300s (3 MBit/s)
External 186.202.136.40, 98.000 packets/300s (326 packets/s), 33 flows/300s (0 flows/s), 0,137 GByte/300s (3 MBit/s)
External 159.192.103.140, 98.000 packets/300s (326 packets/s), 40 flows/300s (0 flows/s), 0,131 GByte/300s (3 MBit/s)
External 118.189.74.190, 96.000 packets/300s (320 packets/s), 36 flows/300s (0 flows/s), 0,134 GByte/300s (3 MBit/s)
External 188.234.141.33, 96.000 packets/300s (320 packets/s), 34 flows/300s (0 flows/s), 0,133 GByte/300s (3 MBit/s)
External 221.143.40.31, 96.000 packets/300s (320 packets/s), 33 flows/300s (0 flows/s), 0,133 GByte/300s (3 MBit/s)
External 185.173.104.84, 94.000 packets/300s (313 packets/s), 28 flows/300s (0 flows/s), 0,128 GByte/300s (3 MBit/s)
External 218.54.66.50, 94.000 packets/300s (313 packets/s), 24 flows/300s (0 flows/s), 0,104 GByte/300s (2 MBit/s)
External 210.245.20.70, 92.000 packets/300s (306 packets/s), 26 flows/300s (0 flows/s), 0,128 GByte/300s (3 MBit/s)
External 77.50.100.167, 90.000 packets/300s (300 packets/s), 32 flows/300s (0 flows/s), 0,123 GByte/300s (3 MBit/s)
External 177.91.235.246, 88.000 packets/300s (293 packets/s), 27 flows/300s (0 flows/s), 0,123 GByte/300s (3 MBit/s)
External 216.206.190.101, 86.000 packets/300s (286 packets/s), 39 flows/300s (0 flows/s), 0,120 GByte/300s (3 MBit/s)
External 80.79.124.245, 82.000 packets/300s (273 packets/s), 32 flows/300s (0 flows/s), 0,115 GByte/300s (3 MBit/s)
External 46.25.242.101, 82.000 packets/300s (273 packets/s), 34 flows/300s (0 flows/s), 0,115 GByte/300s (3 MBit/s)
External 154.113.4.226, 82.000 packets/300s (273 packets/s), 32 flows/300s (0 flows/s), 0,115 GByte/300s (3 MBit/s)
External 154.113.4.37, 78.000 packets/300s (260 packets/s), 30 flows/300s (0 flows/s), 0,109 GByte/300s (2 MBit/s)
External 162.214.64.193, 76.000 packets/300s (253 packets/s), 29 flows/300s (0 flows/s), 0,106 GByte/300s (2 MBit/s)
External 95.163.210.216, 72.000 packets/300s (240 packets/s), 23 flows/300s (0 flows/s), 0,101 GByte/300s (2 MBit/s)
External 35.210.87.2, 66.000 packets/300s (220 packets/s), 28 flows/300s (0 flows/s), 0,090 GByte/300s (2 MBit/s)
External 192.67.164.95, 64.000 packets/300s (213 packets/s), 19 flows/300s (0 flows/s), 0,089 GByte/300s (2 MBit/s)
External 37.113.132.96, 62.000 packets/300s (206 packets/s), 25 flows/300s (0 flows/s), 0,087 GByte/300s (2 MBit/s)
External 129.21.17.181, 60.000 packets/300s (200 packets/s), 25 flows/300s (0 flows/s), 0,084 GByte/300s (2 MBit/s)
External 200.66.75.43, 60.000 packets/300s (200 packets/s), 24 flows/300s (0 flows/s), 0,084 GByte/300s (2 MBit/s)
External 208.82.107.170, 60.000 packets/300s (200 packets/s), 17 flows/300s (0 flows/s), 0,084 GByte/300s (2 MBit/s)
External 197.253.22.70, 60.000 packets/300s (200 packets/s), 25 flows/300s (0 flows/s), 0,063 GByte/300s (1 MBit/s)
External 200.54.26.58, 58.000 packets/300s (193 packets/s), 21 flows/300s (0 flows/s), 0,081 GByte/300s (2 MBit/s)
External 5.101.200.83, 58.000 packets/300s (193 packets/s), 17 flows/300s (0 flows/s), 0,080 GByte/300s (2 MBit/s)
External 77.79.108.37, 58.000 packets/300s (193 packets/s), 22 flows/300s (0 flows/s), 0,072 GByte/300s (1 MBit/s)
External 201.149.10.142, 56.000 packets/300s (186 packets/s), 21 flows/300s (0 flows/s), 0,078 GByte/300s (2 MBit/s)
External 202.29.56.141, 54.000 packets/300s (180 packets/s), 21 flows/300s (0 flows/s), 0,075 GByte/300s (2 MBit/s)
External 185.247.193.182, 54.000 packets/300s (180 packets/s), 19 flows/300s (0 flows/s), 0,073 GByte/300s (1 MBit/s)
External 61.19.246.4, 52.000 packets/300s (173 packets/s), 19 flows/300s (0 flows/s), 0,064 GByte/300s (1 MBit/s)
External 1.227.57.102, 50.000 packets/300s (166 packets/s), 17 flows/300s (0 flows/s), 0,070 GByte/300s (1 MBit/s)
External 106.240.254.211, 50.000 packets/300s (166 packets/s), 21 flows/300s (0 flows/s), 0,070 GByte/300s (1 MBit/s)
External 119.13.8.2, 48.000 packets/300s (160 packets/s), 17 flows/300s (0 flows/s), 0,067 GByte/300s (1 MBit/s)

and also yesterday a 5 Gbit/s ddos on my server.
My Server is a dedicated server On Hetzner and servers Configuration is -
E3-1246v3
CPU 8 core 3.90ghz
9781 benchmark
32gb ram hdd
2*2tb HDD disk
1ipv4

These are running on my server :-
CPanel
CloudLinux
LiteSpeed
ConfigServer Firewall
Imunify360

anyone please tell is this due to DDOS attack and how to stop these ddos attacks or how to protect my CPanel server from DDOS attacks ( I know some people say to add hardware firewall or take ddos protection from Hetzner but it's too much costly for me , someone please tell me how to stop these ddos attacks is there any plugin or system ? )
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
305
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
If you assume that they are attacking your server IP directly, and that is what it sounds like, there really is no way to stop a DDoS attack at the server level. The traffic levels alone are overwhelming the server and its not possible for your server to also act as a filter for that traffic. This kind of attack has to happen upstream of the server by a device or system designed to filter and block traffic before it gets to your server.

If you know what domain triggered the attack then you can try putting it behind cloudflare and changing the DNS, however, this will likely be of little effect because at this point they already have your IP. If its a dumb attack, then this could help and within a day or so the domain based traffic will get routed to cloudflare.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
@GOT is correct, if this is an IP based attack even the normal mitigation steps of utilizing CloudFlare will not be useful - CSF has some port flooding and connection tracking features that may prove slightly useful but a DDoS attack directed at your server's IP is best mitigated by the provider/Datacenter