Think I figured what the problem might be, definitely switch to IIS. Apparently, XAMPP comes with an XML-RPC extension and it is enabled on Windows by default. XML-RPC can be used to see stats like the number of users online, statistics, and probably your IP. Switch to IIS, and see if it stops, if not come back and let us know!Originally Posted by Bozzie
Source:
https://community.apachefriends.org/...c.php?p=163351
Switching to IIS will not stop L7 attacks, I highly doubt this kid who is attacking has even got his IP (my apologies if he has), since you're able to attack by domain.
The only thing OP will get when the attacker floods is "The Service Is Unavailable" meaning nobody will be able to access the site, if you're running your DB/Emulator on the same server it will cause lag for users, most users will disconnect. 80% of retros are still vulnerable to L7 attacks and most of them rely on "I'm Under Attack!" mode on CloudFlare. If the attacker is hosting his own server(s) he will still be able to bypass that.
There is a few ways you can stop this OP, if you haven't fixed it already and wish for it to be fixed, PM me.
Last edited by asesinato; 14-11-14 at 11:45 AM.
I've told all this to the OP already, but he can always try things, if he want to, it is his right doing so :D.
There are solutions indeed, whether he will want to adopt them or not, it is really up to him.
He did have the IP yes, I understand where you're coming from but when I previously got attacked by L7 it showed up in the access log he was using 'POST' and 'GET' methods to flood the site, this time there was none of that it's a genuine attack, previously my VPS wouldn't of shut down because he was only sending connections to the Website itself but now it does, Cloudflares 'Threat Control' is bobbins, but if you are willing to help me after i've said this then please reply to my message buddy.
- - - Updated - - -
Update on your suggestion; It didn't work i've upgraded to IIS got a new IP yet it's still getting booted, thanks for the support though.
@Bozzie
The first rule in this game is, don't ask for help to anyone, discuss everything in open places and you will be in less risk than privately trying to solve that (There are many reasons on that).
Also, try to go for the obvious solutions this way you will save a lot of efforts & time, which may lead you to lose of motivation.
And, well, protecting the website is just one of the points (CloudFlare is great as Cache and CDN, but not so great at mitigation), and don't forget to properly protect your game server too, as generally it will run over your real IP or another secondary IP.
Well to my knowledge I've set everything up correctly, I've been out of the retro scene for awhile so maybe there's new techniques to resolve the IP that I'm unfamiliar with...... I've set up my CF account set-up the DNS settings all correctly and also hidden the IP in the Client with the TCP IP I was provided with from the proxy server itself, now I don't know how else they can do it.... unless of course it's something in my CMS that's enabling them to get the IP but if it's that then I have no idea where to start. I know now it's not a Layer 7 attack i'm receiving (from previous Layer 7 attacks) it is the IP itself that is getting booted.
The real IP can be found through exploiting the web server and php files vulnerabilities too, and in this case, you need a forensics developer :)
As stupid as this may sound, maybe "shutdown" for a few days. If this prick sees that you've "given up", they might just stop. This will work great if you have other forms of communication with a decent amount of your users. Or if you have a small user base, get in touch with them, change the hotel name and domain.
It's because I'm above him in the Retros ranking hahahha, he's just a jealous fuck to be honest. I would do that but I hit 20 daily (well I used too until this prick starting booting me)
Either way try "shutting down" for a few days.
1. General is right, you are able to see IP's by typing in the netstat command. Anyhow that's not always going to work to find the person his real IP because he could also be covering himself by attacking via spoofed IP's. So that basically means that you're stuck untill you get the problem fixed or unless he stops the attack.
2. IIS Isn't going to work either, I've seen many people think that their stronger when they have IIS installed, because IIS does stop most of the attacks but not the big attacks, I've seen people throw strong attacks at hotels that run IIS and even that they where able to take down. So you can try it but when there's someone around that has a bigger attack then you're stuck again.
3. Listen to vLuke, I'm pretty sure that that's the solving to your problem, get a new server or request a different IP and start using other services other than only Cloudflare, because Cloudflare does his job well but not when you have your IP in your client, then they won't simply just help you because then their powerless against strong DDoS attacks.
Last edited by bugme; 14-11-14 at 11:11 PM.
As stated after a little bit of research on XML-RPC
XML-RPC is a simple, portable way to make remote procedure calls over HTTP. It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages. Implementations are available for Unix, Windows and the Macintosh.
I will not add the Example of the code, but
When run, this program will connect to the remote server, get the state name, and print it.
So he's obv modified his code to grab a connecting i.p in some way.
Well all I can suggest to you since the guy has your real IP is to get an IP change from your host if possible if not move to another one so you have a whole new IP as there's not a lot you can do if he has your server IP address. If you have CloudFlare Business the $200 one, then you should be alright against Layer 7 attacks although I'd probably advise http://hyperfilter.com/ myself.
And as the others have stated, having both HTTP and TCP proxies will benefit your hotel a lot.
Patch XML RPC from wordpress useragent on ur IIS Manager.
And if it is too strong, it will cause 100% cpu usage and still crash IIS :) (of course, it works for small attacks, but not for big ones).
Reply With Quote