homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

DDoS attack - drives me crazy
IIS Server, multiple IP's, browser based, Russian
Zaphod Beeblebrox

 4:14 pm on Jan 14, 2008 (gmt 0)

Since lasty night my server is under DDoS-attack from multiple IP's. They're generating 2000+ pagerequests a second which completely messes up my dedicated server.

In the IIS-logfiles I can see that without exception these requests are generated by a browser, not a bot. Also, most of them have +ru in the browser string, which suggests they're from Russia.

Has anyone seen this before, and more importantly - does anyone have any advice as to how I could stop this?

Some examples:

2008-01-14 16:02:40 <ip removed> GET / - 80 - <ip removed> Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ru;+rv: - 403 0 195 4890
2008-01-14 16:02:40 <ip removed> GET / - 80 - <ip removed> Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ru;+rv: - 403 0 195 4890
2008-01-14 16:02:40 <ip removed> GET / - 80 - <ip removed> Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ru;+rv: - 403 0 195 4890

[edited by: physics at 8:09 pm (utc) on Jan. 14, 2008]
[edit reason] ips removed [/edit]



 4:31 pm on Jan 14, 2008 (gmt 0)

Zaphod Beeblebrox, keep in mind that the user agent can be spoofed in order to make it look like a legitimate browser instead of a pesky bot.

As I'm not too familiar with IIS, but somewhat familiar with Apache, look around to find a way to block by the subnet address, maybe blocking all of <ip removed>.* with a 403 status code (forbidden). Good luck, also, check out [webmasterworld.com...]
for IIS hints on blocking by address range.

[edited by: physics at 8:08 pm (utc) on Jan. 14, 2008]

Zaphod Beeblebrox

 4:49 pm on Jan 14, 2008 (gmt 0)

Hi Jake,

the <ip removed> IP-number is my server, the other ones (<ips removed>) are from the Russians. And there are literally thousands of them, so blocking them is not an option.

Apart from that I would have to block them at an earlier stage, since blocking them in IIS would still drive their traffic to my site.

I just hope that by tomorrow they will have gotten weary and just stop...

[edited by: physics at 8:08 pm (utc) on Jan. 14, 2008]


 8:10 pm on Jan 14, 2008 (gmt 0)

Wow, the president of the galaxy in our forum!

You may want to contact your host about this... they may be able to filter the traffic at a higher level.

Zaphod Beeblebrox

 8:27 pm on Jan 14, 2008 (gmt 0)

Yes, the worst dressed sentient being in the known universe... ;-)

I triend contacting my ISP, but since the requests come from thousands of different IP's they cannot block it.


 8:45 pm on Jan 14, 2008 (gmt 0)

If you make a living out of your site, you might consider seeking help from one of the few specialized companies in DDoS protection. They may be costly, though, so it's a ratio of cost vs benefice of course. But in an emergency they can re-route your traffic in an hour or so without moving your servers, or if those attacks are regular they can host you.

I don't know the policy about naming vendors on this boards, being new around here, but if you PM me I'll give you a good name. Or if I'm allowed too, I'll post it here.

Zaphod Beeblebrox

 9:07 pm on Jan 14, 2008 (gmt 0)

Thanks, Jerome, but paying a lot of money simply isn't an option. I do host some 15 small sites on that server, but most of these are my own little projects and the rest are not nearly enough to make anything remotely resembling even a whiff of a living.

Thing is that it's also my test/demo server for ongoing development projects, and that's where my main pain lies, at the moment - apart from the fact that I'm paying for the darned thing without being able to use it at the moment.

I can understand why they'd want to attack sites of banks or other high-profile websites, but it's completely beyond me why they'd go for a server with marginal websites that serves maybe 100 pages a day...


 9:52 pm on Jan 14, 2008 (gmt 0)

Is your server dedicated or shared? They might be attacking someone else on the server if it's shared? Or it may be a test... someone looking to rent a botnet picked up a random domain to test it out before actually paying for it...

Zaphod Beeblebrox

 10:22 pm on Jan 14, 2008 (gmt 0)

See post one - dedicated... ;-)

And it's only targeting one specific domain hosted on it, with some fallback to my main site which can also be reached by just using the IP-number as URL.

Just tested briefly turning on IIS again - 6000 pagerequests in 4 seconds...


 10:33 pm on Jan 14, 2008 (gmt 0)

The only reliable way to stop this is firewalling them. Letting your IIS server send a 403 response may already give a too high load on the server.

Don't know about your host, but my host has an option to rent a personal hardware firewall between my dedicated server and the internet. That might be an option, although it could mean some downtime and new IP addresses for your server.

If the requests are mainly for one site, and they are hostname based, you could change the DNS settings for that one site to a non existent number (or to one of the attacking IPs causing the attack to backfire on them ;)) (this takes some time because their DNS cache has to timeout). Also shutting down that one domainname on your server might be an option. The traffic will still come in, but IIS will hopefully not need much resources to process them.

Zaphod Beeblebrox

 10:43 pm on Jan 14, 2008 (gmt 0)

Hi Lammert, a firewall wouldn't work because there's no waty of determining which requests are legitimate and whic aren't.

I could change the DNS settings, but that would be a temporary solution with the same level of effectiveness as shutting IIS down completely.

The other site being hit is my own main site, and without those two there's not much worth mentioning going on on that server.

Shutting down the site being hit worst was one of the first things I tried, with no discernable effect whatsoever, unfortunately...

Changing IP-addresses also wouldn't work since they're directly requesting '/index.php', which indicates they're not approaching the server based solely on IP-number, but rather through a URL...



 10:48 pm on Jan 14, 2008 (gmt 0)

Even though there are many IPs you should try to track down if all of the ips belong to a specific company. Then contact them and complain and include some relevant log files.

Regarding why is this happening ... maybe someone typed the wrong .com into their ddos script!? Or maybe you're beating them in the serps?

In any case you may be able to block all traffic from that country for a while until this situation dies down. You may want to start shopping for a host who will help you with this.


 10:56 pm on Jan 14, 2008 (gmt 0)

A firewall can help if you know that the attackers are mainly from one geographical region. You can block a handful of A-blocks in the firewall (AAA.0.0.0 to AAA.255.255.255) which is crude and will block access for a group of legitimate users, but the server will be available for others.

Linux installations have the iptables kernel firewall on board, which can be easily programmed via the command line to ignore single or a group of IPs. Works flawlessly on my dedicated server because incomming requests are dropped in the earliest possible stage. There is practically no load on the server, only bandwidth saturation may occur.

Windows servers have about the same facility to block ranges of IPs. It is called "IP security policy management". If you're interested, I can send you a sticky with an URL where you can find how to configure it. I think it is not allowed to post the URL here.

Zaphod Beeblebrox

 11:30 pm on Jan 14, 2008 (gmt 0)

Why does this site have the 'Preview' button on the left? Now I have to retype the whole thing!

@physics - we're talking about tens of thousands of IP's...that's a lot of companies!

@lammert: dankjewel. I won't be able to block them on the first digit alone, since 91.138.* is Ukraine, where traffic comes from, but 91.1.* is Germany, which I don't want to block.

Guess I'll have to check the IP2Country database...

Zaphod Beeblebrox

 12:07 pm on Jan 15, 2008 (gmt 0)

Well, it stopped as suddenly as it started...phew, am I relieved!

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved