New Kind Of DDos Attack From Dc++ Hubs
			Jan 5, 2007
				I had a pretty hectic week dealing with these 3 customers with ddos problems and got to try a few different ddos datacenters for each of them. 
First I got these two anime sites, I put them on mine and a friends staminus box as soon as their dns resolved 1000s of ips came through sending syn on port 80, it would just knock port 80 out filling up contrack table, etc. Id ban a few hundred ips and some ranges 100s more would come. In the bandwidth it only shows about 200kbs incoming as well.
We had put in an emergency ticket with staminus and was told bascially we are idiots and that only 4 packets per second were coming into the server, I was looking at the tcpdump and the kernel was dropping 10-20 thousand packets a second just from the ips id banned. 
So after a day or two of this of saying we didnt have an attack I moved them to a gigeservers vps I got from funtoosh at sh3lls.net As soon as I moved the sites over there it stopped dead so giges filters automatically picked it up. So either staminus doesnt protect against that type or what. It seemed like a a regular syn flood.
So for customer 3, this person has had numerous problems dealing with ddos. He says that the attacker has this tool that exploits the verlisign dc++ hub, that it takes over and has every user send ddos to the server of their choice. 
he had been on sharktech a few months per my reccomendation, he said they could not stop the attacks. he came to me said this was his last resort, so I said well surely staminus would stop it. As soon as his dns resolved on staminus server it got destroyed, nothing got filtered, couldnt even login the box. I didnt have access to staminus portal so I couldnt file a ticket, I had went in their irc again and could not get them to nullroute the ip, understandable since I didnt have access to the ticket system. So I immediatly deleted his dns and the attacks came for up to 12 hours hitting the ip he used to be on. 
Id ban thosands , entire /8 ranges and it would just reload and start hitting again. 
These syn floods sent very little data at slow intervals so i see why it was so hard to filter.
SO then I move him to gigeservers vps, his site is now up 12 hours, in netstat you would see teh occasional ip coming in and sending syn then closing connection so I thought it had it filtered. We was celebrating, as soon as we did I relaized I put my foot in my mouth as the attacks started full scale there. Nothing i really could do software wise as the vps kept running out of memory So I just had funtoosh remove the ip. 
My client the victim was hanging out in their dc++ hub at zerohour.mafiahub.net and pasting ne the logs translating from romanian on how they commanded the attacks. But supposedly they can connect to any dc++ hub and use this tool to take it over and have every user on the hub send ddos. The tool and exploit they are using is private thank god so it seems only a few romanian hacking groups have this.
This kind of attack could not be filtered at sharktech, staminus, or gigeservers I had tried it on softlayer first, had them add it to ddos guard, it knocked Both my servers offline  that was on same subnet. It sends very small packets and slow intervals, there is absolutely nothing you can do software wise.
Just giving everyone a heads up on what kind of methods are being used. If someone does think their hosting can block these attacks via hardware or software id be more then happy to give you the customers name, and they do not care to pay as long as the attacks can be filtered.
	
	View 14 Replies
  
    
	ADVERTISEMENT
    	
    	
        Dec 23, 2007
        I donno what kind of this attack. Dddos or syn attack?. Every time my apache server down dan cpu load very high because of this.. please help me how to defend attacker like this because when im block that ip in iptables after 3/4 hour it come again with another ip. What must i do?
Many connection like below example IP 60.50.80.51. Just one ip per onetime attack but so many same ip 60.50.80.51 can see when type netstat -anp... Im just paste a few here
tcp 0 0 208.77.102.217:80 60.50.80.51:1202 SYN_RECV -
tcp 0 0 208.77.102.217:80 60.50.80.51:1195 SYN_RECV -
tcp 0 0 208.77.102.217:80 60.50.80.51:1525 SYN_RECV -
tcp 388 0 ::ffff:208.77.102.217:80 ::ffff:60.50.80.51:1771 CLOSE_WAIT -
tcp 0 0 ::ffff:208.77.102.217:80 ::ffff:60.50.80.51:2027 ESTABLISHED -
tcp 0 0 ::ffff:208.77.102.217:80 ::ffff:60.50.80.51:3051 CLOSE_WAIT -
	View 5 Replies
    View Related
  
    
	
    	
    	
        May 29, 2009
        My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..
netstat -an | grep :80 | sort
and the result is this
tcp        0   1491 ::ffff:95.211.10.169:80     ::ffff:213.215.100.110:2263 LAST_ACK    
tcp        0   1493 ::ffff:95.211.10.169:80     ::ffff:85.207.126.231:52694 LAST_ACK    
tcp         ....
	View 14 Replies
    View Related
  
    
	
    	
    	
        Aug 4, 2009
        I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,
Do you have any idea about this?
What should I do now?
	View 8 Replies
    View Related
  
    
	
    	
    	
        Mar 19, 2008
        Our server is in attack since 4 days. Http port busy all the time.
When I type : 
netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5
It shows :
[root@ ~]# netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut
-d: -f1 | sort -n| uniq -c | sort -n | tail -5
      2 65.19.130.24
      2 83.149.120.9
      4 204.15.73.243
     35 222.254.103.142
   5128
[root@ ~]#   
I wonder the hidden IP of 5128 ??? How to know it?
	View 8 Replies
    View Related
  
    
	
    	
    	
        Jun 21, 2007
        The server getting slow with high I/O diskwait then normal, although load is not high.
here is the output of: netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n .................
	View 6 Replies
    View Related
  
    
	
    	
    	
        Apr 12, 2009
        i had installed anti ddos or firewall,but those are useless.His attacks are such great that The server and all the vps are down now. One told me that I  should check the ips and receive ips. The attacker is so skillful .describe the best method to defeat him. Be sides the attacker use diffirenet ips in each attack,I block him by iptables but no use…. His attack occupy all the ram and I have to resetart the server…  Now this time his attack lead to shutting all the vps down
	View 10 Replies
    View Related
  
    
	
    	
    	
        Jan 6, 2009
        My website is under ddos attack from some competitors. I don't know yet how big is the attack. The ips of the ddos attack come from all the world.
I have contacted a few hosting companies specialised in ddos proof hosting, unfortunatly the price is so expensive that i cannot afford it.
So i try to find another solution : my website is only aimed to the french people, so maybe is it possible to install a kind of firewall or proxy located before the server to block all the incoming IP adress not from france ? Do you know some websites who can do this and the price ?
I already try do deny the non-french ip in one htaccess file but the ddos attack saturate the server anyway.
	View 11 Replies
    View Related
  
    
	
    	
    	
        Oct 5, 2007
        I am seeing DDOs from past two days, I believe its, but I can't find out which type of ddos it is...Whenever I shutdown apache the load goes down, if I start apache the iowait time goes extremely high and after few minutes the server is not responsive...the server is dual cpu quard core...please help me in finding out wuts happening, the softlayer guy is looking into the issue, but I am not getting any good response
I am attaching someoutputs
	View 5 Replies
    View Related
  
    
	
    	
    	
        Apr 16, 2007
        what is ddos attack? and also tell me how avoid it
	View 1 Replies
    View Related
  
    
	
    	
    	
        Feb 4, 2007
        Is there is any easy way to check ip's of attackers so that i can block these ip's ? And how can we know that our server is under DDOS attack?
	View 9 Replies
    View Related
  
    
	
    	
    	
        Jul 31, 2007
        Yesterday my server suffered a DDoS attack - at least, I'm assuming that's what it was, as incoming traffic rose to 100mb/s for a period of about 20 minutes.  The only solution was to shut the server down, then bring it back.  Fortunately, the traffic did not return.
At the time, I couldn't even access the server as root.  The datacenter has been unhelpful, telling me that they have no idea where the traffic was coming from.  What can I do to find out what happened, ideally an IP (and what kind of data was being sent)?  I'm running RedHat Enterprise Linux.
	View 4 Replies
    View Related
  
    
	
    	
    	
        Jun 23, 2007
        my server is dead  from thursday night the site has gone offline   well the backend works justwhen you go to a domain it just doesnt open ive run a few commands in ssh heres the results
i run netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n and i get this
 1 127.0.0.1
      1 161.73.47.29
      1 172.207.11.104
      1 172.213.230.64
      1 189.162.62.188
      1 205.170.14.231
      1 62.31.34.193
      1 66.183.25.95
      1 68.95.129.213
      1 70.127.239.110
      1 70.156.248.105
      1 70.239.23.26
      1 71.145.144.82
      1 71.176.172.112
      1 72.12.175.0
      1 72.16.16.81
      1 72.179.136.204
      1 72.229.122.44
      1 74.12.147.227
      1 74.38.138.59
      1 74.75.91.211
      1 76.174.236.193
      1 77.98.28.210
      1 82.17.236.239
      1 84.102.105.171
      1 84.13.141.37
      1 86.153.107.205
      1 86.21.4.170
      1 87.192.88.25
      1 87.254.65.147
      1 88.88.121.139
      1 89.122.152.251
      2 203.199.163.35
      2 206.75.58.188
      2 24.162.0.146
      2 83.105.66.179
      2 85.16.175.211
      2 85.30.137.171
      4 152.78.254.85
      5 70.47.36.6
     25 85.17.170.205
     37 0.0.0.0
    138
i ran  netstat -an | grep -c SYN and i get
20
 well it varies sometimes higher sometimes lower
i ran netstat -ntp and get
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:86.153.107.:4185 CLOSE_WAIT -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:77.98.28.21:3278 ESTABLISHED-
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:38766 FIN_WAIT1  -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:71.197.174.:2104 ESTABLISHED-
tcp6      70      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39522 ESTABLISHED-
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:38754 FIN_WAIT1  -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:76.170.60.:61830 CLOSE_WAIT -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:74.12.147.:64785 FIN_WAIT2  -
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:76.170.60.:61825 LAST_ACK   -
tcp6     526      0 ::ffff:85.17.170.205:80 ::ffff:203.199.16:20499 ESTABLISHED-
tcp6     448      0 ::ffff:85.17.170.205:80 ::ffff:82.31.72.23:3554 ESTABLISHED-
tcp6      66      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39504 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:71.130.170.:4683 ESTABLISHED-
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:88.88.121.:63217 LAST_ACK   -
tcp6     264      0 ::ffff:85.17.170.205:80 ::ffff:77.98.28.21:3316 ESTABLISHED-
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:38731 FIN_WAIT1  -
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:172.203.4.1:1573 FIN_WAIT1  -
tcp6     265      0 ::ffff:85.17.170.205:80 ::ffff:77.98.28.21:3300 CLOSE_WAIT -
tcp6     528      0 ::ffff:85.17.170.205:80 ::ffff:206.75.58.1:1529 CLOSE_WAIT -
tcp6     329      0 ::ffff:85.17.170.205:80 ::ffff:152.78.254:24785 CLOSE_WAIT -
tcp6      69      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52294 CLOSE_WAIT -
tcp6     481      0 ::ffff:85.17.170.205:80 ::ffff:172.207.105:3623 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:24.98.106.5:1793 TIME_WAIT  -
tcp6      73      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52296 CLOSE_WAIT -
tcp6     481      0 ::ffff:85.17.170.205:80 ::ffff:172.207.105:3625 ESTABLISHED-
tcp6     280      0 ::ffff:85.17.170.205:80 ::ffff:70.156.248:50993 CLOSE_WAIT -
tcp6     256      0 ::ffff:85.17.170.205:80 ::ffff:74.232.21.:50973 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52304 ESTABLISHED-
tcp6      72      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52305 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52306 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52307 ESTABLISHED-
tcp6     446      0 ::ffff:85.17.170.205:80 ::ffff:89.122.152.:3387 CLOSE_WAIT -
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52308 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52309 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52310 ESTABLISHED-
tcp6     447      0 ::ffff:85.17.170.205:80 ::ffff:74.103.15.:50618 CLOSE_WAIT -
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52311 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52312 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52313 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52314 ESTABLISHED-
tcp6      72      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52315 ESTABLISHED-
tcp6      66      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52316 ESTABLISHED-
tcp6     712      0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:41217 CLOSE_WAIT -
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52317 ESTABLISHED-
tcp6     712      0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:45571 CLOSE_WAIT -
tcp6     279      0 ::ffff:85.17.170.205:80 ::ffff:82.45.205.6:2251 ESTABLISHED-
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:38243 FIN_WAIT1  -
tcp6     540      0 ::ffff:85.17.170.205:80 ::ffff:82.19.190.2:3929 ESTABLISHED-
tcp6     493      0 ::ffff:85.17.170.205:80 ::ffff:86.21.4.170:4267 ESTABLISHED-
tcp6     712      0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:57914 CLOSE_WAIT -
tcp6      67      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39453 CLOSE_WAIT -
tcp6     632      0 ::ffff:85.17.170.205:80 ::ffff:75.46.61.3:61728 ESTABLISHED-
tcp6     332      0 ::ffff:85.17.170.205:80 ::ffff:84.108.80.:49283 ESTABLISHED-
tcp6     444      0 ::ffff:85.17.170.205:80 ::ffff:67.163.63.:39467 ESTABLISHED-
tcp6     498      0 ::ffff:85.17.170.205:80 ::ffff:85.30.137.1:2851 ESTABLISHED-
tcp6     444      0 ::ffff:85.17.170.205:80 ::ffff:67.163.63.:39469 ESTABLISHED-
tcp6     508      0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15418 CLOSE_WAIT -
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47216 ESTABLISHED-
tcp6     508      0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15419 CLOSE_WAIT -
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47217 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50089 CLOSE_WAIT -
tcp6     508      0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15416 CLOSE_WAIT -
tcp6      72      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47218 ESTABLISHED-
tcp6      68      0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47219 ESTABLISHED-
tcp6       1      0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50091 CLOSE_WAIT -
tcp6     507      0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15420 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:82.32.18.24:2244 ESTABLISHED-
tcp6     409      0 ::ffff:85.17.170.205:80 ::ffff:70.239.23.:26082 CLOSE_WAIT -
tcp6     329      0 ::ffff:85.17.170.205:80 ::ffff:152.78.254:24810 CLOSE_WAIT -
tcp6     508      0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15415 CLOSE_WAIT -
tcp6     715      0 ::ffff:85.17.170.205:80 ::ffff:195.93.20.:42065 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50087 CLOSE_WAIT -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:85.30.137.1:2764 ESTABLISHED-
tcp6     505      0 ::ffff:85.17.170.205:80 ::ffff:194.247.231:2269 ESTABLISHED-
tcp6     351      0 ::ffff:85.17.170.205:80 ::ffff:76.174.236.:1645 ESTABLISHED-
tcp6      66      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39649 ESTABLISHED-
tcp6     349      0 ::ffff:85.17.170.205:80 ::ffff:76.174.236.:1646 ESTABLISHED-
tcp6     272      0 ::ffff:85.17.170.205:80 ::ffff:68.95.129.2:4578 CLOSE_WAIT -
tcp6     255      0 ::ffff:85.17.170.205:80 ::ffff:66.249.70.:63667 ESTABLISHED-
tcp6     322      0 ::ffff:85.17.170.205:80 ::ffff:71.99.33.1:50724 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39385 ESTABLISHED-
tcp6     493      0 ::ffff:85.17.170.205:80 ::ffff:172.209.126:4691 ESTABLISHED-
tcp6     506      0 ::ffff:85.17.170.205:80 ::ffff:66.183.25.9:2614 CLOSE_WAIT -
tcp6     444      0 ::ffff:85.17.170.205:80 ::ffff:67.163.63.:39415 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:68.10.147.6:3428 CLOSE_WAIT -
tcp6     487      0 ::ffff:85.17.170.205:80 ::ffff:189.162.62.:1262 CLOSE_WAIT -
tcp6     537      0 ::ffff:85.17.170.205:80 ::ffff:76.195.5.18:4785 ESTABLISHED-
tcp6     270      0 ::ffff:85.17.170.205:80 ::ffff:209.242.13:61937 ESTABLISHED-
tcp6     468      0 ::ffff:85.17.170.205:80 ::ffff:86.4.211.20:4516 CLOSE_WAIT -
tcp6     715      0 ::ffff:85.17.170.205:80 ::ffff:195.93.20.:37092 ESTABLISHED-
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:69.181.177:31392 LAST_ACK   -
tcp6     268      0 ::ffff:85.17.170.205:80 ::ffff:74.38.138.:61485 ESTABLISHED-
tcp6     712      0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:52368 CLOSE_WAIT -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39350 ESTABLISHED-
tcp6     267      0 ::ffff:85.17.170.205:80 ::ffff:87.80.122.1:3587 ESTABLISHED-
tcp6     391      0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50185 CLOSE_WAIT -
tcp6     411      0 ::ffff:85.17.170.205:80 ::ffff:81.96.122.1:1457 CLOSE_WAIT -
tcp6      66      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39596 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:74.12.147.:64733 TIME_WAIT  -
tcp6       0      1 ::ffff:85.17.170.205:80 ::ffff:88.88.121.:63243 LAST_ACK   -
tcp6     339      0 ::ffff:85.17.170.205:80 ::ffff:82.17.236.:50364 CLOSE_WAIT -
tcp6       0  15572 ::ffff:85.17.170.205:22 ::ffff:81.96.122.1:1209 ESTABLISHED-
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:12.201.30.3:3928 CLOSE_WAIT -
tcp6     333      0 ::ffff:85.17.170.205:80 ::ffff:203.199.16:20205 CLOSE_WAIT -
tcp6       0      0 ::ffff:85.17.170.205:80 ::ffff:72.153.122:50891 ESTABLISHED-
tcp6     624      0 ::ffff:85.17.170.205:80 ::ffff:156.34.51.:60779 ESTABLISHED-
tcp6     278      0 ::ffff:85.17.170.205:80 ::ffff:68.227.184:53069 CLOSE_WAIT -
tcp6     716      0 ::ffff:85.17.170.205:80 ::ffff:195.93.20.:54730 CLOSE_WAIT -
tcp6     460      0 ::ffff:85.17.170.205:80 ::ffff:88.88.121.:63284 ESTABLISHED-
tcp6     896      0 ::ffff:85.17.170.205:80 ::ffff:72.95.3.16:50553 ESTABLISHED-
tcp6      66      0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39564 ESTABLISHED-
	View 14 Replies
    View Related
  
    
	
    	
    	
        Jan 2, 2007
        We are getting more traffic to one of the servers. It seems like DDOS attack, but IPs are diferent. I want to find what IPs are connecting more connections. Are there any commnds? I want to block those IPs.
 
netstat -rn | grep :80 |wc -l
502
	View 14 Replies
    View Related
  
    
	
    	
    	
        Feb 7, 2007
        My hosting account has been suspended because of a DDos Attack. What is that
	View 8 Replies
    View Related
  
    
	
    	
    	
        Jul 4, 2006
        Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
	View 14 Replies
    View Related
  
    
	
    	
    	
        Aug 31, 2009
        I have been in online business for about 5 years, but only this morning found out what DDoS is.  Shame on me. 
Our site was attacked this morning and the host (shared hosting) has switched off the dns connection so our site is currently down along with email.  We are a small firm and we are absolutely getting killed by this right now. 
The tech support in this hosting company (icdsoft com) is absolutely phenomenal based on previous experiences and here is what they said throughout the day:
"Your site gets approximately 60 hits/second. Unfortunately there isn't much that can be done in such situation. We already blocked the most active IP addresses in our firewall, but this does not help, as the attack comes from many sources "
About an hour later they tried again and the following was said:
"Unfortunately we do not know how long this attack will last. At the moment there are more than 1100 requests/second towards your site."
about an hour after that the following was said:
"The attack is still going on. Currently, the incoming rate is 8MBit/sec. We will enable your site, and we will notify you when the attack is over."
My questions are the following and I will appreciate any advise as I am absolutely clueless about this:
1. What should I do at this point?  Should I move the site to a dedicated server and if so, will this solve the DDOS problem?
2. Should I purchase anti DDoS package? They are extremely expensive it appears. 
3. If I move to a new dedicated host, which one should i choose? we are a small site, with about 10,000 uniques per month and do not have massive budget so cost is a big factor. 
4.  How long will this current attack likely last? I know it's impossible to answer, but approximately how long do these things last and is it likely to repeat in the future if we leave things alone?
Any knowledgable advice on this matter will be greatly appreciated as we are hurting badly due to this and even 1 day loss of income for us is extremely serious and hurtful.
	View 14 Replies
    View Related
  
    
	
    	
    	
        May 12, 2009
        Im currently with poundhost 
i have some colo servers with them
 
they have gone down 3 times over the last week
2 DDOS attacks and 1 router/exchange issue
 
I called them up and they reckon they get 1 DDOS some weeks, and other weeks have none
 
However, when another server is getting a DDOS attack, i dont want my server to go down.
I take it the network pipe is being flooded, and thats why websites stop responding.?
 
so i called rapid switch, they reckon if they get a DDOS attack, it just takes down the one server, and not everyones elses
	View 14 Replies
    View Related
  
    
	
    	
    	
        May 24, 2009
        i have been under DDoS attacks, and what it does is it will have different servers wget 
a certain file so it's all pretty much with HTTP.
for example: i had 10000 wget site.com/file.rar from ip x.x.x.x
and then same wget from ip y.y.y.y.
now question is how could i block this?
is it a way on apache2 to limit Downloads per IP (example 1 gb /IP)?
	View 12 Replies
    View Related
  
    
	
    	
    	
        Nov 6, 2009
        I have a dedicated server running Debian and i am having some problems with Apache using a lot of CPU causing the load to go about 100.00. My load is usually 0.50 so this is not a bad coded script that is causing the problem.
I run netstat and got the following results ( my server IP has been replaced ):
Code:
# netstat -ntu 
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 66.66.66.66:80        83.149.104.60:46866     SYN_RECV   
tcp        0      0 66.66.66.66:80        216.176.179.82:33062    SYN_RECV   
tcp      239      0 66.66.66.66:80        216.176.179.82:49383    CLOSE_WAIT 
tcp      228      0 66.66.66.66:80        216.176.179.82:48866    CLOSE_WAIT 
tcp      228      0 66.66.66.66:80        216.176.179.82:49385    CLOSE_WAIT 
tcp      228      0 66.66.66.66:80        78.159.196.25:33786     CLOSE_WAIT 
tcp      229      0 66.66.66.66:80        216.176.179.82:49912    CLOSE_WAIT 
tcp      845      0 66.66.66.66:80        200.140.141.66:47575    CLOSE_WAIT 
tcp      239      0 66.66.66.66:80        216.176.179.82:48835    CLOSE_WAIT 
tcp      229      0 66.66.66.66:80        69.22.166.25:33838      CLOSE_WAIT 
tcp      239      0 66.66.66.66:80        69.22.166.25:34092      CLOSE_WAIT 
tcp      238      0 66.66.66.66:80        216.176.179.82:49056    CLOSE_WAIT 
tcp      239      0 66.66.66.66:80        85.234.152.91:49110     CLOSE_WAIT 
tcp      229      0 66.66.66.66:80        69.22.166.25:60500      CLOSE_WAIT 
tcp      228      0 66.66.66.66:80        216.176.179.82:48575    CLOSE_WAIT 
tcp      238      0 66.66.66.66:80        85.234.152.91:49346     CLOSE_WAIT 
tcp      229      0 66.66.66.66:80        216.176.179.82:49337    CLOSE_WAIT 
tcp      228      0 66.66.66.66:80        69.22.166.25:34173      CLOSE_WAIT 
tcp      229      0 66.66.66.66:80        78.159.196.25:33426     CLOSE_WAIT 
tcp      239      0 66.66.66.66:80        69.22.166.25:34931      CLOSE_WAIT 
tcp      239      0 66.66.66.66:80        78.159.196.25:51062     CLOSE_WAIT 
The problem is probably those close_wait connections. I already have APF installed on my server ( althought it doesn't work well with Debian ) and only port 80 is open.
how can i stop those attacks? Besides manually blocking the ip, which is not the best way to handle this problem.
	View 13 Replies
    View Related
  
    
	
    	
    	
        May 19, 2009
        is there any proved method to determine what kind of attack you are under? Our server has been under attack for more than a day now but so far we have not been able to find out what kind of attack it is exactly. The server maintence company we are using says it's a DDoS attack but they don't say how they found this out. Also, they are not telling us what kind of DDoS attack it is.
	View 14 Replies
    View Related
  
    
	
    	
    	
        Nov 16, 2008
        Ddos attack
This week some hackers attack my site with ddos attack and pc zombies...
i have installed and configured fail2ban but it has yielded no results 
the server surchauffe and be DOWN always...
	View 13 Replies
    View Related
  
    
	
    	
    	
        Aug 4, 2008
        My site was recently under a DDoS attack and was down for a few days, the attack came from Russia i believe.
The people who did it asked for $800, but of course i didnt pay. My hosting company did the best they could in  order to stop the attack but it still lasted a few days and badly hurt my rankings.
I moved my site to a dedicated server, but i dont know what kind of software/hardware i need to install on it in order to prevent more future attacks, the hosting company suggested a few things but i dont know if they are just trying to get more money out of me.
	View 3 Replies
    View Related
  
    
	
    	
    	
        Sep 3, 2008
        I hope liquidweb can do something about this.  This is the first time Im getting DDOS.  Its been almost 1hour & counting....hopefully this does not last too long.
Is there anything they can do proactively to counter this attack.  I have a  hardware firewall with them also. I was told around 800Mbps of inbound traffic.
 
"This ticket is to notify you that it was necessary for us to null route
69.16.xxx.xx due to a very large inbound DDoS attack. The null route was
required in order to keep our network stable and to limit the affect to our
other customers. We are actively monitoring the situation, and will remove the
null route as soon as the attack has subsided enough. 
	View 7 Replies
    View Related
  
    
	
    	
    	
        Dec 26, 2008
        This is the second time I have been DDoS Attacked and it is losing my customers and my reputation. I personally think it is a rival company trying to put me out of business. So to prevent further attacks I need so protection. Is there some kind of software based protection or is it only hardware?
	View 6 Replies
    View Related
  
    
	
    	
    	
        Feb 2, 2008
        is this DDOs attack : .....
	View 5 Replies
    View Related
  
    
	
    	
    	
        Jul 16, 2008
        If your website gets targeted by an attacker.
And it gets unbelievable volume of attack that brings it down.
You try to shift between hosts but it does not help.
The host would null-rout your traffic to maintain the integrity of his network.
What can you so?
You tried several technical solutions, it did not help.
Someone is determined to bring you down!
Is there any legal path that you can take?
Is there a legitimate hackers company that you can hire to look at the attack and find the source?
	View 8 Replies
    View Related
  
    
	
    	
    	
        May 4, 2008
        My website (Large Discussion Forums Site) is under a heavy DDoS attack since 3 weeks. My first host could not handle such an attack so I moved to another who claimed to have a firewall that can handle the attack, but still, the site is down.
Anyone has a good suggestion to get the site up and handle the attack? Any particular hosts that can help me?
(The Forum has its own server and does not use Apache).
	View 14 Replies
    View Related
  
    
	
    	
    	
        Apr 14, 2008
        Your site is now officially being DDoS Attacked. This will render your site completely offline to you, or any of your visitors/customers. Your site will continue to be attacked, and stay offline, until I receive $400.00 USD in Liberty Reserve. 
Liberty Reserve Account Number:  U5585060
*Payment ensures future protection from DDoS Attacks, finding future attackers, and disabling their botnets.
Valid Contact Email: drjaykrew@gmail.com
I will 100% respond to any emails sent here, so the choice is yours! If I am ignored, you know the consequences.
I laughed of course  but when I checked my server... it was down for 8 hours, 18MB log file, over 700 unique IPs.
First I called the colocation... Isn't it the normal thing to do?! Who else can filter/block this attack? Unfortunately it doesn't help at all with Rapid Switch (www.rapidswitch.com - don't expect any support from them) They replied "What do you expect us to do?"
Or the exact answers:
Can you please let us know what kind of assistance you would like from us?
And the last one:
Perhaps you can outline what you think it is feasible for us to do in situations like this?
No comment...
Once I saw that there is no help coming from them, I decided to move the website to a server I got at home: 3.4GHz Dell, 16GB RAM, Windows 2008 Datacenter, behind Linksys RV082 on 12Mbit adsl - perfect! My $300 router could handle the attack, but my ISP cut off port 80 after less than an hour!
So I had to move back to the server I have at the colo (Windows 2003 Enterprise, IIS6). Tried Sygate, Zonealarm and Symantec Endpoint Security - none of them helped.
Here are two lines from the log:
2008-04-14 06:27:49 W3SVC1078447680 <IP> GET /login.php - 80 - 195.56.6.17 Mozilla/4.0+(compatible) 200 0 64
2008-04-14 06:27:49 W3SVC1078447680 <IP> GET /login.php - 80 - 78.3.24.20 Mozilla/4.0+(compatible) 500 0 1236
I have edited the login.php to ignore the requests 
PHP Code:
if ( !isset($_SERVER['HTTP_REFERER']) ) { exit; } 
It did the job - reduced the myslq queries, but the server is still crashing after 15 minutes and over 1GB incoming traffic.
12 hours later, after trying everything I found on the web - I finally gave up (no, I didn't pay hahaha) and set the nameservers to 127.0.0.1
	View 4 Replies
    View Related
  
    
	
    	
    	
        May 24, 2008
        Some jerk has been attacking my Windows based server for 2 days. Basically he said he has 600+ bots that connect and look like normal users. The site has been down and we have lost some serious income.
I was thinking about just using GigeServers ProxyShield as I thought it would be the easiest route but the $1000 a month is a bit much. 
	View 4 Replies
    View Related
  
    
	
    	
    	
        Feb 8, 2008
        I've got CSF setup, but the problem is, I can't seem to keep the SYN Attack blocked without blocking all my legit hits. 
	View 5 Replies
    View Related