Shared server under DDOS

[sumi21kav]

HI,

We have one of our shared servers under ddos almost every day in the last few days.
From what i have info from my DC is UDP Flood attack with a large amount of small packages.

We did try to change the server IP but the attack has moved to the new IP. It looks like they are targeting some website on this server but i`m unable to find why.

What is your experience how we can protect or how is possible to find the account that is been attacked so we can move/remove it.

Thanks
Eftim

 

[24x7server]

Hello,

I will suggest you to install CSF firewall on your server and configured it and if you are still facing the same with the CSF firewall then you will have to enabled hardware firewall for your server.

 

[quizknows]

Hello,

I will suggest you to install CSF firewall on your server and configured it and if you are still facing the same with the CSF firewall then you will have to enabled hardware firewall for your server.

That's not really going to help for a serious UDP flood. These attacks can saturate a network connection and a basic software/hardware firewall cannot do anything at all to prevent that. He needs to figure out what site is being attacked or get the attack mitigated by a 3rd party or data center provider.

Eftim, Your options are to either start moving groups of sites to alternate IP addresses (a lot of work) to figure out what site is being attacked, or get DDoS protection from someone like cloudflare (or even better, move to a host that offers real DDoS mitigation in-house.) DDoS mitigation is not cheap, but if your business depends on it you might not have a choice. There are some hosts with the capability to detect and mitigate these attacks before the traffic makes it to your server.

You can also see if you have any high-risk clients. Most attacked sites in my experience are gaming websites, gambling websites, or forums. In the past I've seen gaming websites get DoS attacked a lot by their competitors. If your hosting provider does not offer DDoS mitigation, then If you have extra dedicated IP addresses I would move any sites like this to those IP addresses to see if the attack follows.

 

[cPanelMichael]

From what i have info from my DC is UDP Flood attack with a large amount of small packages.

I recommend considering the options presented in the previous post. You may also want to consult with your data center to see if they offer any protections for this type of attack.

Thank you.

 

[sumi21kav]

I recommend considering the options presented in the previous post. You may also want to consult with your data center to see if they offer any protections for this type of attack.

Thank you.

Hello,

Thanks for the replay to all.

I decide to move some of the websites to their dedicated IP`s. I face the issue that when i change the website IP i`m getting cPanel default page until the DNS is not propagated, this is leading to 24h of downtime. Any suggestion how to solve this issue ?!

Additional i can only set one website per IP. For 200 websites i will need 200 IP`s and that is a lot.
I want if it`s possible to move groups of 5 website per IP but i did not find how to perform this. Any suggestion on this ?
I know i can create resell account and assign re-seller shared IP but i think that is not really a good idea or the correct way to perform this.

Thanks
Eftim

 

[cPanelMichael]

You may want to try clearing the browser and DNS cache on your machine after changing the IP address. It's likely just an issue with DNS propagation. Another workaround for assigning multiple accounts to a new IP address is to temporarily make the new IP address the main shared IP of the server.

Thank you.

 

[quizknows]

Making reseller IP's is really the only "easy" way to put multiple sites on each IP.

Regarding less downtime, if you lower the TTL values of your DNS records, then let that sit for a day, you can usually move the site with only 5-10 minutes of downtime.

 

[sumi21kav]

... Another workaround for assigning multiple accounts to a new IP address is to temporarily make the new IP address the main shared IP of the server.

Thank you.

I will try this. Will i have issue with the cPanel license When i will change the main shared IP. And where/how to change this. Just editing in Basic Settings or i need to make some other changes ?

Making reseller IP's is really the only "easy" way to put multiple sites on each IP.

Regarding less downtime, if you lower the TTL values of your DNS records, then let that sit for a day, you can usually move the site with only 5-10 minutes of downtime.

Yeah i remember this but i need to wait 24h now and that give me 24h more downtime because of this DDOS. I was hopping for quick fix. But anyway it looks like this is the only solution i could find.


Here is other think i remember. What if they do not attack user website, what if they attack the name servers IP which is the same with the websites IP. Can i change the NS IP with any free IP in the server without downtime ?! If Yes i just need to Change the A record and edit the host in my domain register ?

 

[quizknows]

For changing nameserver IP, yes, edit the A record and update at your registrar. You'll want to update the nameserver IP's in WHM as well but that's not too hard.

The only "quick" fix is if your hosting data center offers DDoS mitigation. Otherwise, I'd advise migrating to one that does, since that's usually cheaper than a 3rd party DoS protection provider (which also requires more DNS changes).

 

[sumi21kav]

For changing nameserver IP, yes, edit the A record and update at your registrar. You'll want to update the nameserver IP's in WHM as well but that's not too hard.

The only "quick" fix is if your hosting data center offers DDoS mitigation. Otherwise, I'd advise migrating to one that does, since that's usually cheaper than a 3rd party DoS protection provider (which also requires more DNS changes).

I`m fixed with the server location. it must be in MK and no data center in MK offers DDOS protection so i`m in not good situation.
We have server in MK for several years but no DDOS issue so far. This is the first and big one.

 

[acenetgeorge]

What port is being hit? If it is UDP port 53, try blocking it with CSF. If there are still issues, you could disable security logging in the named.conf file. Other ports may need other mitigation.

 

[cPanelMichael]

I will try this. Will i have issue with the cPanel license When i will change the main shared IP. And where/how to change this. Just editing in Basic Settings or i need to make some other changes ?

You can simply edit the main shared IP address in "Web Host Manager >> Basic cPanel & WHM Setup". This does not change the main IP address used for license purposes, just the main shared IP used for new accounts or IP changes.

Thank you.