- This topic is empty.
-
Posts
-
Hello there,
My page is suffering from massive DdoS and SYN flood attacks during the last five days, huge get requests are coming every millisecond from various IP’s (by proxies) as a result the server load goes to maximum levels and server goes down in seconds. The attacks are on the domain, and goes to the directoryindex (index.php). A blank index.html do not stop the attacks, but keeps the server running (cause there is nothing displayed at home page).
The server is a dedicated box running Debian, Apache 2.2 & php5.
I have dedicated 3 days searching and trying, installed Apf firewall, IPTables, modsecurity2, mod_evasive, but nothing from the software part is stoping this guy.
After 2 days of continius attacks, the hacker stopped the attacks for 4 hours, and mailed me with threats, gave me his mail and his western union details to sent him payment in order to stop. Now he started again the attacks.
My advertisers and affiliates are complaining, and this is becoming very annoying, as i lost my usual silent life, have no sleep at all, and brough me lot of anxiety. My page is my main source of income, a very crowded page with more than 5.000 visits per day, and i think this is what made the hacker attractive.
My host said that they can’t do something to help me with the attacks, and that i must find a firewall solution (which i tried and nothing worked out).
I will be glad if someone can assist me to the right direction or person to help get out of this nightmare. Did anyone of you had any kind of this threats before? If yes, how did you reacted?
I am almost sure that this is a DoS attack there with SYN Flood method.
Hi,
Please PM me your contact info to get more details… I might be able to help.
I am not sure if i can help, it mostly happened if you have any open SSH user….You need to block his IP
You can use these command on SSH to find the IP’s which sending most request:
netstat -nut | grep :80 | awk ‘{print $4}’ | cut -d: -f1 | sort -n | uniq -cIf
it is found that an IP has more than, say 30 connections, the IP may be causing the attack.
try changing the passwords
