gabidi - 5:59 pm on Oct 21, 2010 (gmt 0)
@incrediBILL Has good advice. Upgrading to high performance servers , while a nice gesture, is not going to do anything in the face of a full fledged DDOS attack.
I just got out of another DDOS last week and i can tell you what i've learned so far:
1- Server Side Measures (linux):
Put your server on defcon 3 until the attack subsidies:
- Install DDOS Deflate and set it to a lower limit for connections per IP. DDOS deflate is a cron job that bans IP's that exceed a certain connection limit.
- Install CSF/LFD and also put it on lock down mode , specially stop answering ICMP requests and considering your customers are mainly from the EU , block suspicious country IP's based on GEOIP info (integrated in CSF).
- Minimize processes running on your box for the duration of the attack to free-up resources
Depending on the depth and strength of the attack , server side measures can be enough to get you through it, but for a full fledged attack you need to move mitigation as far up the network level as you can.
2- Network Measures :
- Most sophisticated hosts have TMS (Threat management systems). Basically very expensive routers than can do pattern identification and filtering at the gigabit level, something your box / average commercial firewall will not be able to handle.
You need to contact your host and tell them to route your traffic through their TMS system.
Monitor your box and as DDOS deflate updates it's list of banned IP's supply these ip's to your host, so they can block them on the network level, freeing your box from having to deal with the requests completely.
Then clear your deny list and repeat, within 24 hours you should have the most offensive IP's on the network blacklist and the hosts TMS should start recognizing patterns and auto banning the most havoc wrecking of IPs.
At this point the attack might continue , eventually as the attacker's resources get blocked and recognizes that your box is still doing fine (site is up), he'll stop , try to salvage whatever bot ip's he still has under his control and that haven't been blacklisted yet for his next victim.
3- ** KEEP IN TOUCH WITH YOUR CLIENTS **
The worst of a fallout of an unmitigated DDOS attack can present it's self in terms of customer expectations not being met. Customers see your site is offline, customers dont get emails answered, etc..
Try to reach out to your clients (tweet, facebook, call , etc..) and tell them what's going on. This is the single most important step to manage client's expectation and minimize the financial fallout from a DDOS attack that can last weeks after the attack has stopped !
4- Dont give in.
No matter what you do , don't pay up. You'll be the new donkey to ride on IRC channels.
5- Once the attack is over relax security measures
The measures above will 100% block out some good traffic (Google bots, Syndication scrapers, etc..) . While google bot should be the last thing on your mind during a DDOS after the attack is done, you want it to crawl your site to it's heart's content.
Good luck and god speed :)