The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Shared server under DDOS

Discussion in 'Security' started by sumi21kav, Oct 28, 2013.

  1. sumi21kav

    sumi21kav Member

    Joined:
    Apr 16, 2011
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    HI,

    We have one of our shared servers under ddos almost every day in the last few days.
    From what i have info from my DC is UDP Flood attack with a large amount of small packages.

    We did try to change the server IP but the attack has moved to the new IP. It looks like they are targeting some website on this server but i`m unable to find why.

    What is your experience how we can protect or how is possible to find the account that is been attacked so we can move/remove it.

    Thanks
    Eftim
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,145
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I will suggest you to install CSF firewall on your server and configured it and if you are still facing the same with the CSF firewall then you will have to enabled hardware firewall for your server.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That's not really going to help for a serious UDP flood. These attacks can saturate a network connection and a basic software/hardware firewall cannot do anything at all to prevent that. He needs to figure out what site is being attacked or get the attack mitigated by a 3rd party or data center provider.

    Eftim, Your options are to either start moving groups of sites to alternate IP addresses (a lot of work) to figure out what site is being attacked, or get DDoS protection from someone like cloudflare (or even better, move to a host that offers real DDoS mitigation in-house.) DDoS mitigation is not cheap, but if your business depends on it you might not have a choice. There are some hosts with the capability to detect and mitigate these attacks before the traffic makes it to your server.

    You can also see if you have any high-risk clients. Most attacked sites in my experience are gaming websites, gambling websites, or forums. In the past I've seen gaming websites get DoS attacked a lot by their competitors. If your hosting provider does not offer DDoS mitigation, then If you have extra dedicated IP addresses I would move any sites like this to those IP addresses to see if the attack follows.
     
    #3 quizknows, Oct 29, 2013
    Last edited: Oct 29, 2013
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I recommend considering the options presented in the previous post. You may also want to consult with your data center to see if they offer any protections for this type of attack.

    Thank you.
     
  5. sumi21kav

    sumi21kav Member

    Joined:
    Apr 16, 2011
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Thanks for the replay to all.

    I decide to move some of the websites to their dedicated IP`s. I face the issue that when i change the website IP i`m getting cPanel default page until the DNS is not propagated, this is leading to 24h of downtime. Any suggestion how to solve this issue ?!

    Additional i can only set one website per IP. For 200 websites i will need 200 IP`s and that is a lot.
    I want if it`s possible to move groups of 5 website per IP but i did not find how to perform this. Any suggestion on this ?
    I know i can create resell account and assign re-seller shared IP but i think that is not really a good idea or the correct way to perform this.

    Thanks
    Eftim
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to try clearing the browser and DNS cache on your machine after changing the IP address. It's likely just an issue with DNS propagation. Another workaround for assigning multiple accounts to a new IP address is to temporarily make the new IP address the main shared IP of the server.

    Thank you.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Making reseller IP's is really the only "easy" way to put multiple sites on each IP.

    Regarding less downtime, if you lower the TTL values of your DNS records, then let that sit for a day, you can usually move the site with only 5-10 minutes of downtime.
     
  8. sumi21kav

    sumi21kav Member

    Joined:
    Apr 16, 2011
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I will try this. Will i have issue with the cPanel license When i will change the main shared IP. And where/how to change this. Just editing in Basic Settings or i need to make some other changes ?

    Yeah i remember this but i need to wait 24h now and that give me 24h more downtime because of this DDOS. I was hopping for quick fix. But anyway it looks like this is the only solution i could find.


    Here is other think i remember. What if they do not attack user website, what if they attack the name servers IP which is the same with the websites IP. Can i change the NS IP with any free IP in the server without downtime ?! If Yes i just need to Change the A record and edit the host in my domain register ?
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    For changing nameserver IP, yes, edit the A record and update at your registrar. You'll want to update the nameserver IP's in WHM as well but that's not too hard.

    The only "quick" fix is if your hosting data center offers DDoS mitigation. Otherwise, I'd advise migrating to one that does, since that's usually cheaper than a 3rd party DoS protection provider (which also requires more DNS changes).
     
  10. sumi21kav

    sumi21kav Member

    Joined:
    Apr 16, 2011
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I`m fixed with the server location. it must be in MK and no data center in MK offers DDOS protection so i`m in not good situation.
    We have server in MK for several years but no DDOS issue so far. This is the first and big one.
     
  11. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    What port is being hit? If it is UDP port 53, try blocking it with CSF. If there are still issues, you could disable security logging in the named.conf file. Other ports may need other mitigation.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can simply edit the main shared IP address in "Web Host Manager >> Basic cPanel & WHM Setup". This does not change the main IP address used for license purposes, just the main shared IP used for new accounts or IP changes.

    Thank you.
     
Loading...

Share This Page