DDOS protection

Hello everyone.

I'm going to make this topic as detailed as I can because i've never been so stuck. Okay well basically yesterday my VPS got attacked, now this wasn't a problem since I bought Cloudflare PRO but all of a sudden a guy named 'Geo' came on and was able to get my IP now I don't have a clue how he did this, all he said was something about 'XML RPC' and if I didn't change my Cloudflare security mode to 'I'm under attack' he wouldn't of got it. Since then i've changed my Servers IP, but today once again he managed to get it, now I don't have a clue how.

What protection I have;

Cloudflare PRO (WAF Included)
HTTP Proxy
TCP Proxy

What my servers running on;

Xampp 1.7.3


DNS settings;

http://prntscr.com/560xxz


Now all I can think is it's something in the CMS enabling them to backtrack the IP somehow.... I honestly don't know. I have had problems in the past with Layer 7 attacks using the POST and GET method, but that's not a problem anymore instead my access showed me something way different it was the use of other websites I don't know unfortunately I deleted the logs because it was such a big file ( I will update this thread if it happens again) but yeah that's all I've got, i'm honestly so stuck I just want it to-be sorted so I can move along.

:
ANY help will be appreciated as i'm pickled right now. Thank-you. :love:

Buy http proxy.

eww interesting.

i do not have so much experience about ddos protection but as i know payment systems need a real ip if im not wrong to accept donation. i'm talking about API.

I would like to listen to experts opinion too

View the source of your client file and check to make sure your VPS IP isn't showing there. Check all config files too and even variables to ensure there's not even a single line with your IP on it that you may have missed out.

netstat -n will show all current active connections + port.

Quote:

---

Originally Posted by GrateZ4

On the photo your DNS isn't active. press active and save.

---

I have to make them grey for the HTTP Proxy, as suggested by the Host itself.

Quote:

---

Originally Posted by Terrum

View the source of your client file and check to make sure your VPS IP isn't showing there. Check all config files too and even variables to ensure there's not even a single line with your IP on it that you may have missed out.

---

That's all fine, I have a TCP proxy's IP in there so that's out the equation , and what do you mean by variables exactly? It's not a common error, it's been done through something i've never heard of before.

Quote:

---

Originally Posted by The General

netstat -n will show all current active connections + port.

---

But all the connections are passed through cloudflare then through my HTTP Proxy, they're all the same IP's are they not?

Netstat would not find out where the IP is being found though :P: Especially as it only shows incoming connections, not outgoing.

Quote:

---

Originally Posted by Bozzie

That's all fine, I have a TCP proxy's IP in there so that's out the equation , and what do you mean by variables exactly? It's not a common error, it's been done through something i've never heard of before.

---

By variables I mean in the external_variables.txt or your SWF's equivalent, because that can be sourced also.

My external_variables are all fine, I haven't been attacked since the Layer 7's which I also made a post on, this way of doing it is somehow by tinkering with cf, all the guys said was 'if you didn't change your security settings to 'I'm under attack' you would of been fine' and something along the lines of 'XML RPC'

Quote:

---

Originally Posted by Terrum

Netstat would not find out where the IP is being found though :P: Especially as it only shows incoming connections, not outgoing.

---

Please, leave this section if you know nothing.

https://computing.llnl.gov/tutorials...an/netstat.txt

Quote:

---

Originally Posted by The General

Please, leave this section if you know nothing.

https://computing.llnl.gov/tutorials...an/netstat.txt

---

Thank-you someone who got through to him!! he doesn't shut up. And I know where you're coming from with the netstat but he used something called XML RPC? Do you have any idea on what that is?

Pff all the h8 on this forum :D: All he's trying to do is help, give him some credit. Everyone gets things wrong n at least he's trying to help actively. Bozzie obviously has no idea what he's talking about either so he sharnt judge. But that aside, using XAMPP can be a big flaw for a start. Why not use IIS? So easy to change to :wink:

Quote:

---

Originally Posted by Spitty

Pff all the h8 on this forum :D: All he's trying to do is help, give him some credit. Everyone gets things wrong n at least he's trying to help actively. Bozzie obviously has no idea what he's talking about either so he sharnt judge. But that aside, using XAMPP can be a big flaw for a start. Why not use IIS? So easy to change to :wink:

---

Are you able to get the servers IP address through Xampp?

Quote:

---

Originally Posted by Bozzie

Hello everyone.

I'm going to make this topic as detailed as I can because i've never been so stuck. Okay well basically yesterday my VPS got attacked, now this wasn't a problem since I bought Cloudflare PRO but all of a sudden a guy named 'Geo' came on and was able to get my IP now I don't have a clue how he did this, all he said was something about 'XML RPC' and if I didn't change my Cloudflare security mode to 'I'm under attack' he wouldn't of got it. Since then i've changed my Servers IP, but today once again he managed to get it, now I don't have a clue how.

What protection I have;

Cloudflare PRO (WAF Included)
HTTP Proxy
TCP Proxy

What my servers running on;

Xampp 1.7.3


DNS settings;

http://prntscr.com/560xxz


Now all I can think is it's something in the CMS enabling them to backtrack the IP somehow.... I honestly don't know. I have had problems in the past with Layer 7 attacks using the POST and GET method, but that's not a problem anymore instead my access showed me something way different it was the use of other websites I don't know unfortunately I deleted the logs because it was such a big file ( I will update this thread if it happens again) but yeah that's all I've got, i'm honestly so stuck I just want it to-be sorted so I can move along.

:
ANY help will be appreciated as i'm pickled right now. Thank-you. :love:

---

Wait, the guy who told you about the "XML RPC" is he attacking you? Or is he just trying to help you, if he's just trying to help, why not ask him how he got it?

Quote:

---

Originally Posted by Terrum

Again with the judgements when you yourself are not perfect :D: FYI, I have many qualifications in Microsoft and CompTIA, and I fully well understand how Netstat works and of its features (unlike many kids on this forum would). But, tell me exactly how it would help in this matter? All it does is provide the foreign address - you'd get no use from that other than attempting to block it.


For someone who asks for support on a public forum, they're sure picky for whose side to be on. But then, looking at your location, I suppose that answers your maturity.

OT: Use Google to find out what XML RPC is - http://bit.ly/1EApAwU

---

If I have a connection to a hotel, I have a outgoing connection. Netstat lists active sockets (sure, still depending on the flag but -n I mentioned does). U stated it would only lists incoming connections which is not true.

And whatever qualifications you have in real life don't count on the internet. I'm a Apache helicopter pilot and also a special ops for Swede in my free time.

- - - Updated - - -

Quote:

---

Originally Posted by Wreckless

Wait, the guy who told you about the "XML PRO" is he attacking you? Or is he just trying to help you, if he's just trying to help, why not ask him how he got it?

---

Because people want to do it the hard way, always.

Quote:

---

Originally Posted by Wreckless

Wait, the guy who told you about the "XML PRO" is he attacking you? Or is he just trying to help you, if he's just trying to help, why not ask him how he got it?

---

He said XML RPC, and no unfortunately he's the one attacking, i'm going to attempt to use IIS and get an IP change. I will update the tread if I am able to solve it :)