Knowledgebase

Portal Home > Knowledgebase > Articles Database > DDOS attack


DDOS attack




Posted by dnki, 03-14-2008, 07:02 AM
Some of my websites have been under a DDOS attack for about a month now. Is there any way I can find who is behind this attack and what their motive is? How much does it cost to launch a DDOS attack and how long do they usually last? Thanks
Posted by zacharooni, 03-14-2008, 07:06 AM
What are you hosting?
Posted by dnki, 03-14-2008, 07:11 AM
Nothing, mostly static HTML pages , a few forums (which are now offline).
Posted by zacharooni, 03-14-2008, 07:16 AM
What kind of forums?
Posted by dnki, 03-14-2008, 07:20 AM
Standard PHPBB/SMF forums on non-controversial subjects. How does the content of the forums matter?
Posted by zacharooni, 03-14-2008, 07:25 AM
Perhaps someone posted something someone didn't like, happens all the time. Stupid kids and their feelings.
Posted by ElTino, 03-14-2008, 12:15 PM
Can't be sure about it but attacks from this scale wouldn't last for long time simply because the individuals who hire these botnets can not afford more attacks or because the people that are running the botnet want to launch an attack on some other target (big companies that are worth a lot of money/day for being online). And the usual case of course is extortion. Your case seems to me like some wannabe hacker kids trying to learn on your site.
Posted by dnki, 03-15-2008, 12:49 AM
I also think so, it is not very well thought out. If it is for extortion , do they contact the site owner?
Posted by LoganNZ, 03-15-2008, 02:18 AM
How big is the attack? Have you logged the IP's that are flooding your server? Are you going to scan one of the attacking hosts and see if they are infected with a common bot and try to trace back the botnet master? Also, do you have any staff members on the forum that would " stir **** " ? Consider mod_dosevasive/evasive - Will block http crafted dDOS attacks. Really, we can't help you realistically because we don't have enough information regarding the attack. Best Regards, Logan
Posted by ElTino, 03-17-2008, 10:14 AM
They sure do if they want to collect some money. Asking that question makes me think that no one has called you so far, which means that your case has a different nature.
Posted by dnki, 03-17-2008, 10:47 AM
What could be the different nature of my case? No one has contacted me so far, my sites are fairly small Last edited by dnki; 03-17-2008 at 10:52 AM.
Posted by ElTino, 03-17-2008, 11:30 AM
That's what I said. No one has called you so far which means that that the attack was not an extortion attempt.
Posted by dnki, 03-17-2008, 06:54 PM
Then what kind of attack can it be?
Posted by Orien, 03-17-2008, 07:08 PM
There are a lot of people on the internet who do what they do... just for the heck of it.
Posted by ddosguru, 03-17-2008, 07:16 PM
I recommend against using any of these Apache mods. Instead, purchase Litespeed httpd. It is much better suited to handle low level DDoS attacks.
Posted by LoganNZ, 03-17-2008, 08:20 PM
litespeed is just a band-aid. It doesn't fix anything, it replaces apache with a smaller daemon and memory footprint. The apache mods that i suggested, have worked perfectly for my clients...
Posted by vecctormedia, 03-17-2008, 09:02 PM
Posted by ataylor, 03-17-2008, 10:08 PM
Found this the other day, looks interesting: http://deflate.medialayer.com/
Posted by ElTino, 03-18-2008, 07:36 AM
Apart from the extortion scenario a ddos attack could be performed by an individual or a company that is your competition in some way. Could be someone who's just trying to prove himself or gain authority among the hacking society, it could also be the case that this was initiated by some attacker who has the knowledge to do it and he's just enjoying himself. The things that drive an attacker to launch attacks could be various.
Posted by brianoz, 03-18-2008, 09:37 AM
Sure this is a DDOS? If it was a real DDOS your server would be dead in the water, they're almost impossible to defend against. Without knowing numbers of IP ranges, volume of packets/data and how often the IPs change it's impossible for us to say. mod_dosevasive will help a little if the IPs are not changing. You'd be better off blocking the packets at a lower level though and for that you should use Configserver's CSF which will block misbehaving IPs in the kernel, before they get to your httpd and waste cpu cycles. Not as effective on non-cpanel machines but it will still help. CSF also blocks particular known evil-hacker-controlled IP ranges, updated on a daily basis. If your attacks come from particular IPs, or particular IP ranges, just block the ranges (eg if it's Nigeria, just block the whole country, etc). Litespeed may help if you're under serious attack, but I doubt it from what you say and I wouldn't waste your time with it. The lower level kernel firewalling is the way to go for a first step, then add in the other things.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Interserver down. (Views: 623)
Should I block ICMP_IN and ICMP_OUT (Views: 629)
#"¤@£$@ IIS!!!! How to enable downloads of unknown file type!? (Views: 583)
Admin Services that do Load Balancing? (Views: 675)
Unusual Spam Problem being reported by Data Center (Views: 592)