My server is being under DDOS attack

[hsp]

Hello,

i think this is the right forum to ask for help.

For over a month I have been suffering from DDoS attacks every day around 1:00 AM. I have an idea who's behind this, but I have no proof.

I have a Virtual Server at CloudVPS and I have CloudFlare too. Unfortunately it was yesterday found that even cloudflare cannot offer my protection, my websites were offline again.

My Hosting provider CloudVPS is not very supportive and CloudFlare recommends their Enterprise package (which costs tons of money). More or less I'm on my own.

What can I actually do?

[i8igmac]

I think iptables is what u need.

research some ddos iptable rules

[GnomeProgramming]

First of all, are you sure is a DDOS atack? First look at the traffic to be sure it's a DDOS atack, maybe the company who is hosting your website have a problem with their servers, and that's why your website goes down. Good luck!

[cooper]

Your only recourses are to either fork over the cash to the provider to provide protection, or to wait it out until the attacker gets bored or is caught.

Your problem is that the pipe to your server gets filled to capacity so you either need a bigger pipe, or wait for or otherwise get the guy to stop filling it to capacity. Is there any special reason that 1am is chosen? Sounds like a stupid time to do this. Is that when your servers are frequented the most?

[digininja]

Agreed, confirm that it is really an attack and not just a server outage then listen to Cloudflare, they are the experts. I don't know what monitoring/logging that Cloudflare offer but check that and see how much bandwidth is being sent to you, if it is really an attack the you will see high traffic volumes, if you don't then I'd look for something like your hosting company doing an accidental DoS during a nightly backup or log rotation.

i8igmac iptables won't help with this as the problem is the pipe into the server is being filled, this comes before the network stack is reached.

[jameshunt]

Hi! What happened with the attack? Was Cloudflare able to help you? I Have been recommended this provider to protect me from DDOS attacks and I don't know if I shoud change to them. Do they offer colocation services as well?

[digip]

If you can identify your servers IP directly vs the masking done by cloudflare, then cloudflare is not setup properly or someone has found the direct address to attack vs your masked cloudflare IP(if it is in fact an attack directly on your site they should need your unmasked IP to attack it directly, and no, apache logs won't always show the traffic since they can point data to any open port or listening sockets to bring down the site, sometimes with little traffic needed depending on the attack)

You can try getting them to change your IP address behind the DNS service(from your host provider, not cloudflare), and then check if you can get an "A" record from your site via "direct-connect.sitename.com" or "direct.site.com" which cloudflare, depending on how its setup, exposes your domains IP to attackers sometimes if under maintenance or editing the site in live mode. There also used to be a site, http://web.archive.org/web/*/http://www.cloudflare-watch.org/cfs.html that let you search if yours was already archived, but seems to no longer be up, but probably more sites like it that expose cloudflare users to attacks. I've found ways to get the IP of sites like this in the past, and used my hosts file to bypass clouudflare which confirms the sites unmasked IP when you open it in your browser and loads the actual site.

edit: found another site similar to the old cloudflare watch - http://www.crimeflare.com/cfs.html Check if your site's true IP is in their archive.

edit:

I can see your SUBDOMAINS are NOT on cloudflare! This in part exposes your servers real IP in the Netherlands for your media company(which I was able to find via your profile on linked in). Putting it into my hosts file and point to your main site, loaded and gave me your real domain withoutcloudflare protection, so you need to mask your subdomain, or remove it, and have your host issue you a new IP address to then configure on cloudflare, and retest. Won't post your IP here, but if I could find it that easily, probably anyone else can.

just to add as well, you're using wordpress, make sure its not a plug-in or such causing the site issues.**

Edited February 11, 2015 by digip

[ZaraByte]

Just run netstat -nut | awk '{print $5}' | cut -d : -f1| sort | uniq -c | sort -n

from the terminal or get something like http://configserver.com/cp/csf.html installed on their might possibly have to find yourself a host that offers ddos protection see this is a old thread but meh was under a ddos attack the last couple days appears one of these randoms i added on steam thought he would get some lawls by ddosing people on steam this is why i don't like to add people i don't know on things like skype or other services that expose information like that to script kiddies.