DDoS: Help

[Deveant]

Heya all sorry i didnt really want to post this here, beacuse i dont belive that ive help other people, but still this problem is really bothering me and lowering my business. As well as killing my passion in website Admining.

I belive that there is no know cure for DDoS but i was wondering if any one has some advise or solutions in lowering the intensity of the attacks.

Pretty much every day or two, 300 or so Box's (all different IP's) all connect to a single page on my site, and within a second re-connect, and so on so on, causing the server to sh*t its self and crash the CGI, if i chmod the file that the PC's are accessing the site comes back up, but then the target file will change after a while and hay presto sites down again.

Blocking the IP's seems to be an impossible task, every attack is from different IP ranges and i presume there zombies.

Can any one please help me with this issue? U will become a hero on my site lol.

[Sparda]

See if you can take over the bot net and DDoS the attacker?

Blocking DDoS attacks (with out lots of band width) would require global cooperation of some kind. Personaly, if I was paid to do it, I would be willing to travle all over the globe and shut down these bot nets one by one, but hay, I dought thats a fesable buisness modle :P

[Quile]

:D:D i like u

See if you can take over the bot net and DDoS the attacker?

Do you know why they ddos u? i dont think it just for fun..

Do you got irc connections there?

[Guest]

the only problem is it would be hard to find out where the botnet actually lives. If its a php botnet that works by taking over web servers with the use of remote file inclusion, then you could jump over to one of the ip's that is hitting you find the source for the botnet and inside the source it will have some information on where the actual botnet is, then just do what sparda said and try to take it over. If it isnt a php botnet though you could always try to get in contact with one of the poeple that own's one of the systems being used and analise there packets when there system starts up to find the server that the botnet is connecting to in order to get it's commands from.

[moonlit]

if you can grab the exe and strip off the encryption that's almost certainly on it there's a chance you could extract the nicknames/adresses etc and use that... but it's hard to get the exe if you don't know where to look...

[Sparda]

What web site is this that keeps getting attacked? Perhaps Google will help you work out who is attacking you because the idiot that attacked you made a "Look, i'm so clever, I got a web site shut down" post on some random forum some where.

Note: taking over a bot net and attacking the attacker is very not legal. However, I would say that it's just poetic justice. Kind of the a murders gun exploding in his face. Except, you are the one who rigged the gun to blow up in his face.

[cooper]

You could look at it as an architectural issue:

Your site contains a CGI script that is heavy enough that 300 concurrent users (which, to be honest I consider to be fairly low) can kill the machine.

Couldn't you cache the server response so that any subsequent calls will simply result in the spitting out of precomputed data? Check out mod_disk_cache for Apache.

[Shiva]

gr8 idea Cooper :)