DDOS from a few ips

Discussion in 'Performance Tweaking' started by TheWarden, Jun 7, 2016.

  1. ddos.png So I am getting this major problem, someone is ddossing my server with individual ips which tend to go down when I ip block them, however he is able to constantly change his ip every hour. They also all end in XXX.XXXX.XXX.cloudfront.net, is there a way to limit the amount of bandwidth per ip? Thanks!
  2. Tried blocking everything from *.cloudfront.net?
  3. That would be reverse dns... interesting. I would recommend that you look into doing that if possible. Perhaps contact sys and ask if it's possible.
  4. Funny tho, these ip all seem to have .cdg50.r.cloudfront.net behind it, such as server-52-85-221-15.cdg50.r.cloudfront.net. They appear to be owned my Amazon.
  5. MikeA

    MikeA Retired Moderator
    Retired Benefactor

    Are you sure it's an actual 'attack'? SYS would mitigate it if it detects it to be. Maybe contact Cloudfront/AmazonAWS and ask them to investigate? Grab a tcpdump maybe?
  6. It could be abuse of a service OP is hosting, but OVH's filter is known to not be perfect (though I haven't heard of problems with it for a long time).
  7. I know with SYS and Kimsufi you get the more crappy DDoS protection compared with OVH.
  8. The only difference it's disabled until an attack is detected. This can cause problems, but they're small. It's a great offer considering the budget.
    This isn't the cause of OP's problem though, as OVH would've detected it.
  9. MikeA

    MikeA Retired Moderator
    Retired Benefactor

    Right, that's my reason for mentioning, I get dozens of attack notifications each day and I never have actual traffic pass through the mitigation. At most 20Mbps or so. Maybe whatever is provided with SYS is different from the OVH main brand, I've never used any SYS servers that had attacks so I wouldn't know :-0
    • Informative Informative x 1
  10. I've actually lacked a good confirmation of OVH's new protection being good, this is useful information to me, thanks :)
  11. MikeA

    MikeA Retired Moderator
    Retired Benefactor

    I'll give ya a test server for a bit if you want to confirm it yourself ;)

    Edit: I am speaking for the Game mitigation, by the way.
    #11 MikeA, Jun 10, 2016
    Last edited: Jun 10, 2016
    • Friendly Friendly x 1
  12. JamesJ


    CloudFront wont be attacking you.

    CloudFront is just like CloudFlare, it's a web CDN. Are you sure it's not some form of health check you've got setup / someone else has setup for you?
    • Like Like x 1
  13. No, I have one. Just needed word from someone who has received a lot of attacks and is knowledgeable on the subject.
  14. JamesJ


    Also, I forgot to mention.

    If you're hosting a website, with static content (images, css, js) it's possible that either:

    Someone is hijacking you're content, and serving it from behind a CloudFront distribution.
    You've got a CloudFront distribution doing the same.

    This could be due to when CloudFront requests a large file from your server, it's going to increase your bandwidth usage, hence the spikes.
    • Agree Agree x 1
  15. I can guess he/she is using Content Delivery Network perhaps.
    If possible can you show me the netstat?

    netstat -na

    So that we would know is it really a DDoS attack
  16. I have something important to throw into the mix here. I didn't read the above comments, but I've done alot of study on ddos and the laws surrounding it.
    #1 It is ILLEGAL to ddos anybody, and the results will be negative if you are found out. You can be made to serve Jail time or work public services, or you can be fined by the person you ddos'd.
    #2 it is LEGAL to ddos anybody, if you can show that they ddos'd you first. And it is easy to ddos, with a very small knowledge of Dos and Java.
    #3 if you are going to ddos, note that whoever is attacking you will likely be using a VPN, and his real IP address might be difficult to obtain. Don't ddos his internet service provider. ;)
    #4 I would recommend you buying a VPN, as this will serve to keep you safer from such attacks. I would personally recommend one called IPVanish. It's not expensive for it's quality, and it is very user friendly.
    #5 I hope any of this helped. :)
    • Funny Funny x 7
    • Optimistic Optimistic x 2
  17. Here we go: http://pastebin.com/W4nXgXef

    More attacks :(
  18. Use OVH and turn on permanent mitigation?
  19. JamesJ


    Stop speaking out your arse.

    It's not legal to DDoS someone in retaliation.
    A VPN will not help him, his server is being DDoS'd. And even so, they don't make you safer. It just means your VPN's IP gets DDoS'd.
    It is illegal, well done, you got something right, however unless you are DDoS'ing on a massive scale (Anonymous, etc), you're not going to prison.

    Maybe next time stop and read the thread, then you wont look like such an idiot. Oh and don't speak on your arse, like you just did.
    • Agree Agree x 5
    • Like Like x 1
    • Funny Funny x 1
    • Winner Winner x 1