Being attacked by DDos

[bigjl]

Hi there,
One of my website has been getting ddos attack for a couple of months. The site is hosted on my dedicated server which managed under WHM.
The site is getting around 36k-47k hits everyday and the bandwidth is around 3-4G per day.
I found that litespeed has build-in feature for anti-ddos-attach so I installed a trial version on WHM.
But there is no getting better. The hits still come along and the bandwidth still goes high. Here is my configuration on Per Client Throttling.

Static Requests/second: 0
Dynamic Requests/second: 2
Outbound Bandwidth (bytes/sec): 0
Inbound Bandwidth (bytes/sec): 0
Connection Soft Limit: 5
Connection Hard Limit: 20
Block Bad Request: Yes
Grace Period (sec): 15
Banned Period (sec): 300

Intel i5 2.99
16GB RAM
2TB HDD Raid10
cPanel/WHM

Any suggestions?
Many thanks!

 

[mistwang]

Is the attack a GET flood? Can you tell which URL the botnet abuse?
For large scale attack, the built-in anti-DDoS may not able to stop, it is depends on the size of the botnet and how aggressive the robot behave.

Our antiDDoS proxy service will be live soon, maybe you can give it a try.

 

[anewday]

Set Static Requests/second to something around 5. 0 is unlimited.

 

[bigjl]

Is the attack a GET flood? Can you tell which URL the botnet abuse?
For large scale attack, the built-in anti-DDoS may not able to stop, it is depends on the size of the botnet and how aggressive the robot behave.

Our antiDDoS proxy service will be live soon, maybe you can give it a try.

Thnx mistwang,
I wonder how I know it is a GET flood?
There are huge amount of traffic going to the home page of the site "/"
The user agencies below had the most hits
check_http/v1.4.14 (nagios-plugins 1.4.14)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2

 

[bigjl]

Set Static Requests/second to something around 5. 0 is unlimited.

Thnx anewday,
I have changed the setting and see if there is any improvement. Thank you.

 

[NeustarRick]

DDoS Protection

Unfortunately there is no way to protect your bandwidth usage at the permiter. The only way to fully protect your systems and your bandwidth usage is with a cloud based DDoS service like the one from Neustar (http://www.ultradns.com/ddos-protection/siteprotect/what-is-siteprotect).

Another tool set which you may want to look at is UltraTools.com which is 100% free.

Full disclosure I work at Neustar.

Rick

 

[mistwang]

Thnx mistwang,
I wonder how I know it is a GET flood?
There are huge amount of traffic going to the home page of the site "/"
The user agencies below had the most hits
check_http/v1.4.14 (nagios-plugins 1.4.14)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2

We have a solution to detect if the request is sent by botnet or a real user, if detected botnet, our service will block those IPs at firewall level.
I recommend you sign up with our anti-ddos proxy service when it become available (probably this coming Monday).
It is free during our trial period.

 

[mistwang]

Our anti-DDoS proxy is up now, you can sign up at
https://store.litespeedtech.com/antiddos/cart.php

 

[bigjl]

Thanks mistwang for your reply.
My website is hosted in the UK and if I use your proxy does my website loading speed become slow?
Thanks

 

[mistwang]

The global WAN speed should be very fast those days, you can give it a try from your location by update "/etc/hosts" by pointing your domain to our proxy server, see if the speed is good.
I think it should be better than being taken down by botnet even if it was indeed slightly slower.

 

[bigjl]

I have got the proxy set up.
In the knowledge base, it says that "update your DNS record of that domain to point to “assigned IP”, which is proxy server IP".
Does it mean the nameservers or "A" record for www ?
Thanks

 

[mistwang]

A record for www.