Portal Home > Knowledgebase > Articles Database > DDoS attacks - how to safeguard my sites?
DDoS attacks - how to safeguard my sites?
| Posted by jamesbb2, 01-31-2015, 03:48 PM |
| Lately, I am being a victim of DDoS attacks. I don't know who or why is doing it. I recently put up Cloudflare protection too but it doesn't seem to work well as today my sites are again down because of DDoS attacks as the hosting provider null routed the IP.
What is the cheapest way to protect myself against these attacks? I can't afford to pay $200-300 per months of DDoS protection.
Are DDoS attacks directed to site URLs or server IP? I'm thinking of purchasing a new IP from the hosting provider, move the sites on to the new IP, and have Cloudflare protection up so no one can find out this new IP. So if the attacks are directed to the IP then the attacker won't be able to find the new IP and hence won't be able to attack. Will this work?
Urgent help needed.
|
| Posted by Andei, 01-31-2015, 03:51 PM |
| Yes, that should pretty much work, if you get a new IP address which will be unknown to the public on top of which you'll put CloudFlare, then the attackers won't be able to obtain your real IP to target the DDOS at.
Also make sure you don't leave any subdomains uncovered by cloudflare, as that's a very easy way to find your real IP (ie: ftp.yourdomain.com unprotected).
|
| Posted by jamesbb2, 01-31-2015, 03:57 PM |
| A new IP will be of no use unless Cloudflare is hiding it, right? Because it will only take someone a second to find out the new IP unless its hidden by Cloudflare.
If I do this, is there ANY WAY that I can still get attacked? Or will it be impossible to attack my site after this?
|
| Posted by Andei, 01-31-2015, 04:02 PM |
| A new IP without CloudFlare hiding it won't do much good, since if the guy or group attacking you is committed enough they'll just redirect the attack to the new IP address, so you MUST hide it behind CloudFlare.
As to answer your last questions... well they could still run a scan on the range of IPs of your provider to find your site by accessing the IP directly, BUT that would take some real commitment to find you... an easy way to avoid this would be to block all traffic on port 80 except from cloudflare IPs (which they list somewhere on their site)... this would basically allow your site to be accessed ONLY via cloudflare... but I doubt anyone will be this committed to destroy your site...
|
| Posted by jamesbb2, 01-31-2015, 04:07 PM |
| I'll do the following in this order:
- Buy a new IP.
- Hide it behind Cloudflare (free plan).
- Block all traffic except from Cloudflare IPs (how to do this exactly?)
- Ask the hosting provider to move the sites to this new IP.
All set now? Now it is virtually impossible to attack my site, right?
Any drawbacks to me for blocking all traffic that is coming outside of Cloudflare?
|
| Posted by jamesbb2, 01-31-2015, 04:11 PM |
| If I block all traffic right now except that is coming from Cloudflare and do not change the IP, will that prevent future attacks? Or must I change the IP first?
|
| Posted by Andei, 01-31-2015, 04:14 PM |
| Yes
Yes
Can only be done if you have your own firewall, so not doable on shared/reseller hosting, but on VPS/Dedicaed Server. You just block all traffic on port 80 from the firewall, and then whitelist the cloudflare IPs: https://www.cloudflare.com/ips
Yes
It will be much harder but never impossible, nothing is ever impossible, especially online.
|
| Posted by Andei, 01-31-2015, 04:15 PM |
| An even minor DDOS attack can't be stopped by your software firewall, so an IP change would be needed anyway.
|
| Posted by jamesbb2, 01-31-2015, 04:19 PM |
| I don't know if the server has any firewall or not. I will have to ask the hosting provider. But yes, the sites are on a VPS. Not shared hosting.
|
| Posted by jamesbb2, 01-31-2015, 04:30 PM |
| My hosting provider claims that mostly DDoS attacks are targeted to the domain URL and not the IP. So changing the IP won't do me any good either.
Is it true that the DDoS attacks are directed to the domain URLs or are they directed to the server IPs?
|
| Posted by Andei, 01-31-2015, 04:34 PM |
| Your domain name is resolving to your IP address, so even if they target domain or IP, in the end it would still end up attacking your IP address.
If your hosting provider does not realize this then it's very sad indeed.
|
| Posted by Phil McKerracher, 02-05-2015, 08:12 PM |
| You don't say what your environment is and it makes a big difference. I found out the hard way that if someone starts hitting you on shared hosting or on a VPS with a "hosted" hypervisor like OpenVZ or Virtuozzo then there's not much you can do yourself, because there's no way to block a large number of IP addresses (attacks came from 300,000 different addresses in my case). In that environment, all you can do is ask the hosting company to help, and often they can't or won't do that - they will just ask you to leave because you're "using excessive resources".
I moved to a VPS with a "bare metal" hypervisor such as Xen or KVM. That enabled me to run a "postscreen" filter on my postfix mail server and to use an "ipset" kernel-level filter to block IP addresses, triggered by fail2ban. My CPU usage has returned to normal and my logs are no longer filling up my disk with error messages.
The attack on me was fairly mild - it didn't bring my sites or email down, it was just a nuisance. A larger attack would still be a problem and then I would have to get my hosting provider to block it further upstream. Changing IP address is only a short-term fix - the attack eventually followed me when I changed hosting companies.
|
| Posted by Cipriano, 02-06-2015, 02:38 PM |
| Buy a new IP to hide it with CL will not help you more, your attacker(s) probably uses a CloudFlare resolver to find your real IP.
|
| Posted by andyt_porter, 02-06-2015, 08:42 PM |
| Cloudflare is a great option for your site.
Here is a few recommendation to further secure your backend IP.
Disable display_errors
Use Remote Email
Mandrill is a great recommendation for a Remote Email Sending Service. the reason why it is advised that you use remote email vs local email. Is so that people cannot view the headers of outgoing emails that would reveal the backend IP. Another suggestion is to get your provider to create a ACL to only allow cloudflare connections to the backend IP.
Last edited by andyt_porter; 02-06-2015 at 08:48 PM.
|
| Posted by waya, 02-06-2015, 11:48 PM |
| Pretty sure Mandrill exposes your IP, or so I heard.
|
| Posted by Kloudy Day, 02-07-2015, 12:57 AM |
| If you buy hundreds of IPs won't don anything for you if you're going to hide protect yourself by proxy-servers(CloudFlare). Pretty sure CloudFlare will prevent such kind of attacks easily. (from my experience).
Change you DNS to CloudFlare and let run there until DNS record propagate completely. Even if CloudFlare didn't help, you can open up a ticket there and ask them and just block a range of IP for time being.
|
| Posted by johneplow, 02-07-2015, 11:36 AM |
| in a vps you can add additional safeguards
|
| Posted by real_mc, 02-10-2015, 05:20 AM |
| Few critical steps need to be taken to protect against huge DDOS attacks:
1. Change your IP addresses.
2. Move DNS and HTTP/HTTPS behind Cloudflare.
3. Do not send emails publicly from the new IP address space.
For 1 and 2 you are already aware. For point 3, you need to send out emails via a mail relay (not able to recommend any at the moment), very important, that supports hiding of specific lines in the mime header (see https://forum.ivorde.com/postfix-mta...rs-t19729.html). Make sure no email gets out of these boxes directly to destinations, but via a relay provider.
This way, your servers SHOULD be protected in the future.
P.S.: If the attack continues on your current provider, additional steps might be needed. Hopefully you are done with the above.
Last edited by real_mc; 02-10-2015 at 05:28 AM.
|
| Posted by andr0meda, 02-10-2015, 05:29 AM |
| Will this work out?
http://www.crimeflare.com/cfs.html
|
| Posted by mandrei99, 02-10-2015, 07:43 AM |
| I don't think crimeflare has up-to-date information ever since "origin.domain.com" is not used by CF any more, so no. It won't.
|
Add to Favourites 
Print this Article
Also Read
