DDOS Attack - Account Suspended?

Discussion in 'Linux VPS/Dedicated - General' started by mmxp, Jul 8, 2007.

  1. mmxp

    mmxp New Member

    I've got an email from knownhost Abuse Dept about High CPU usage. Well, My VPS was under heavy attack for the past several days. And attack IPs were from Japan, Korea and many South East Asian countries (hundreds of them and more new IPs after some got banned!). I have tried everything to stop the attacked and seems Iptables were not so smart and DDOS-Deflate was not working good enough.
    Anyway, it seems alright now. but I begin to wonder: what If next time, my VPS account gets another heavy attack for unknown reasons? What can I do to avoid HIGH CPU usage when being under attack? Of course, turning off the VPS will do (but isn't that what the attcker would love to see?)..and I am sure once one attack takes effect, there will be soon another. then turning off the VPS won't really solve the problem. But if I keep the VPS on and try anything to stop the attack (maybe in vein) and I have to take the risk that my VPS will use too much CPU resources and the VPS account might get suspended anytime by Knowhost technicians, esp, when I am on a trip without a computer to know what's going on with my VPS?
    I am getting really puzzled now....I've heard that there is not much we can do against DDOS attackes. So if the VPS is being attacked, there are only two options for me: 1. to turn off the VPS. 2. to keep the VPS on and wait to get suspended?
    Anyone here has any same experience or any good suggestions?
     
  2. Nneel

    Nneel New Member

    its a problem indeed..
    i didnt get any probs like that with webhost...
    but..
    but
    when we run IRc at Ircd shell..during ddos..i re-start ircd shell..frequently..so the ircd down ..
    by this way some time i got some good result...
     
  3. Caleb

    Caleb McDonald's Drywall Expert

    I've received plenty of these, one of which was a major one on knownhost, the others are on different hosts.

    Install ConfigServer firewall (free, google it) and configure the csf.conf to your needs. The CT_LIMIT option in the conf is the most helpful. When you are receiving an attack, set that limit fairly low, maybe 5-10, then restart csf. CSF will start banning IPs like nobody's business. I've been using this in conjunction with LiteSpeed web server lately and it has helped out tremendously with little to medium attacks.

    I wouldn't recommend leaving your VPS on too long during an attack because it may chew up your bandwidth past the limit. DDoS is the hardest thing I've ever had to deal with yet in servers/hosting, so don't feel bad that you feel helpless, I still feel that way at times. Just keep looking for solutions and tweaking your firewall to help. If all else fails, get rid of the site causing problems, as much as this may hurt you, it will pay off.

    Also, it's better to turn the VPS off yourself than having KH shut it off for you....


    -Caleb
     
  4. gameutopia

    gameutopia New Member

    Say a person had apf firewall, bfd, and dos deflate installed and running already.

    If they wanted to switch or try configserver firewall I'm guessing I should turn off or disable the above mentioned first.

    That being the case what would be the procedure for turning off the above and turning them back on if I decided I didn't like configuserver?

    Then would you have any tips or pointers for some preferred settings for configserver? or is most of it preconfigured to work pretty well.

    Thanks.
    gameutopia
     
  5. ppc

    ppc Moderator

    I always thought that knownhost had a ddos prevention system in place on the whole network?
     
  6. Caleb

    Caleb McDonald's Drywall Expert

    In my case, csf was pretty well preconfigured except you need to configure the TCP incoming/outgoing allowed ports section to suit your needs. For example, if you're using a Directadmin VPS, you'll need to put in 2222 in those sections. For cPanel: 2082, 2083, 2086, 2087, 2095, 2096 Plesk: 8443

    And I guarantee you will find other applications using ports that you will have to open. Just today I had to open a port that my IRC VPS was connecting to the network hub on.

    Afterwards just /etc/init.d/csf restart and you should be good to go. I don't believe dos-deflate or bfd will interfere but I believe there are instructions somewhere in the installation notes on using a script to uninstall or disable BFD. For APF, simply 'service apf stop' and to remove from startup do (I think) 'chkconfig --del apf' and you should be set. To enable csf at boot just do 'chkconfig --add csf'.

    To my knowledge neither C4D nor KH have any advanced DDoS prevention/protection/mitigation systems in place yet.


    -Caleb
     

Share This Page