DDoS protection?

[Luuk Meijer]

Hi all.

Lately the website of our hotel became the victim of several DDoS attacks. It's been attacked for like 4 times a day.
http://i.imgur.com/YSq0HhU.png
We run the website on a webserver on a linux server. The emulator and database are running on a windows server. Both hosted at OVH.
OVH says they have an anti-DDoS system. This 'system' clearly doesn't work for us. I asked for explanation and the answer I got:

Can you give us more details what method/kind of tools were used, that brought down your vps so I can discuss this with our network team. Of course our system is not 100% and the fight against abuse of our network is always a "cat and mouse"-game.

That doesn't help us any further.

We also bought a proxy service at XZnetworks with the thought: when skids don't have the server's IP address, they can't attack it. And the proxy filters out the attacks.
The current traffic goes like this: cloudflare > proxy server > webserver. You should think the proxy server would filter the traffic....
Nothing could be further from the truth. These skids say they don't need the server's IP, but just fill in the domain.
Asked XZnetworks for explanation. Answer:

Are you receiving any error message or anything? Our proxy will filter out any attacks aimed at the proxy, but if it's reaching your server directly there is nothing we can do.
I'm not seeing any issues with your domain at this time.

I'm not too sure what else I can suggest. The proxy works on a best effort basis. I would suggest chatting to your hosting provider when it goes down and see what they can detect.

Perhaps they are lying to you? Can you try change your server IP?

Changing the IP address wouldn't be a solution for this problem, because the kids who DDoS us don't need the IP.


SOOOO....

What would you recommend us to do?
1 option may be: changing to a windows server where we can monitor the traffic data, block ip's, etc....
Or Cloudflare? Which plan is the cheapest way to block DDoS attacks?

[MentaL]

[FatalLulz]

Most likely the skid is attacking the attackprotect IP and flooding the given port you have. Or they could be flooding CloudFlare on the DNS you use. Best ask them what's happening as well.

Do you use a HTTP and TCP or just a TCP..? I can recommend a cheap but highly reliable HTTP and TCP Bundle if you'd like.

[HyperFilter]

You shouldn't be mixing different mitigation systems, it will end up making everything worse than it had to be, a few considerations you should check are:

1) You must decide whether to use CloudFlare or any other service you like. The main reason for this is that if you make "proxying of proxying" like your example above A -> B -> Server, the B system will be confused trying to track the connections, since most of them will come from the same IP to the different users accessing your content so while you think you are 'increasing' your protection in fact you are turning it more deficient.

2) You must be aware that when you host the website in the same VPS or Dedicated Server as the gameserver, that this is opening a big vulnerability, considering apache (mainly these windows distributions such as XAMPP, WAMP, EasyPHP and so on) are exploitable, also you must take care of your PHP Code making sure it is not injectable in any way, otherwise your main IP (real IP) will be determined by exploiting the web service. A solution for this would be for example hosting your website in a real ddos protected webhost, as that in this case if the webhost IP is attacked your website will not be down and neither your gameserver since both are in separated places, but if you can guarantee you don't have ways to expose your IP a remote proxy is indicated and maybe even a load balancer when you have a high load of users, to distribute them across different servers.

Anyways, good luck and hope you to be fixing your problem.

[Lewislol]

A couple of my sites have been getting attacked with methods such as HTTP-GET, HTTP-HEAD, HTTP-POST and XML RPC lately.
They don't even need your IP to do it, they use traffic or problems with your post submit fields(HTTP-POST).
You would be best:
- Blocking the useragent for wordpress.
- Limiting connections to 10 / user.
- Checking log files daily to see what pages are being abused so you can patch it.

I have sent you a PM with more information.

[MaxZeus]

A couple of my sites have been getting attacked with methods such as HTTP-GET, HTTP-HEAD, HTTP-POST and XML RPC lately.
They don't even need your IP to do it, they use traffic or problems with your post submit fields(HTTP-POST).
You would be best:
- Blocking the useragent for wordpress.
- Limiting connections to 10 / user.
- Checking log files daily to see what pages are being abused so you can patch it.

I have sent you a PM with more information.

Or you can use a proper L7 mitigation service, which will avoid all these attacks for you :)

[Lewislol]

Or you can use a proper L7 mitigation service, which will avoid all these attacks for you :)

Some people are just in retros to learn and don't want to spend much on a server.
If this community wasn't full of people who want to go on a hotel threatening the owner with a booter people wouldn't have to spend more than $20 a month to keep their hotel up and running.

They can get a good enough patch for layer 7 attacks themselves, it may not work all the time but it will stop most people who act hard with their little rage booter accounts.

I have blocked the majority of these attacks on all of my own sites without spending a penny(apart from a little server to test the attacks on my site).

[MaxZeus]

Some people are just in retros to learn and don't want to spend much on a server.
If this community wasn't full of people who want to go on a hotel threatening the owner with a booter people wouldn't have to spend more than $20 a month to keep their hotel up and running.

They can get a good enough patch for layer 7 attacks themselves, it may not work all the time but it will stop most people who act hard with their little rage booter accounts.

This is correct, but for whoever can afford it, the problem will be solved :)