Server Under Attack. DDOS Protection Tips / Detecting Entry?


May 25, 2010
My server is currently being DOS'd / DDOS'd and the attack has lasted for around 48 hours now.

When the attack first began my server went completely down / connection timeout issues on all my pages on my site. At this point I had no firewall installed, this type of thing has never happened to me before and SSH sounds more like a type of drug than anything else to me!!!

I managed to install CSF onto my system and since then it has slowly filtered out 70 IP's (Over around the last 40 hours).

Now I simply cannot find where the traffic is coming in from. There is nothing in my raw access logs, I have run the 2 queries below in SSH / Putty but they aren't showing many active connections:

netstat -plan |grep :80 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n
netstat -plan | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

But still my server is spitting out 3.2MBPS constantly. This attack is eating away at my bandwidth badly and I'm not too sure what to do from here.

Could anyone with experience in the matter help to lower this amount / completely stop the attack (Probably not possible but still a nice idea!).