B
B
braindev2019-06-04 20:03:53
DDoS Protection
braindev, 2019-06-04 20:03:53

Strange DDoS attack, what to do?

Hello, the situation is very strange. They are ddosing my server, I was watching netstat/htop, everything is fine in Htop and there are no extra processes in netstat, but the funny thing is that the terminal lags unrealistically and everything takes a very long time to download. As I understand it, the Internet channel is clogged with something? The hoster blocked my VPS by writing the following:

We are contacting you because, right now, your server is the target of an extremely large network attack. This attack has been detected and mitigated by our network to ensure the availability of your server.

And then they added that they had to disable the IP address of my server. What should I do? As soon as the IP is turned on, that’s it, after 2-3 minutes the server crashes, but before that, when they didn’t attack so powerfully, htop and others weren’t clogged, that is, there were enough resources. As I assume, they clog the Internet channel. What are the solutions to this problem? Host change? And as I understand it, since such a powerful attack, they hammer directly at the IP address?
I did not notice any anomalies in the php-fpm/nginx/mariadb configs, but I want to note that when the attack was weaker, php-fpm quarreled that it lacked ps.max_children, I increased it and the error disappeared.
During the attack, I also looked at access.log, but no suspicious GET requests were found, I also sat with Iptables and banned a couple of SYN packets, on the server, judging by them, port 22 was just the SSH protocol, but after banning ips and restarting iptables, this did not help. I also tried to watch with tcpdump, no left IPs were found, htop still has enough resources. The site is behind cloudflare / nginx+php-fpm.
Server specifications:
OC - CentsOS 7
8 GB RAM, 4 cores, 200 GB SSD, 200 Mbit/s port
UNLIMITED Traffic
The attack has been going on for more than 24 hours.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
AN, 2019-06-05
@AlekseyNikulin

1. Configure Nginx
2. Add Rate Limit

B
braindev, 2019-06-10
@braindev

Who cares, I’m writing the answer:
There was a very strange brute force, the most obvious one that could be on port 22, but at the same time it added a bunch of sessions and processes, and also added a lot of cron tasks, changing the ssh port helped a little, but then they got angry and started ddosing SYNs. I think while iptables to twist to solve it.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question