expat123 said: My site has been experiencing a DoS attack for the last 24 hours. My ISP says I will have to wait it out and cannot offer any other assistance.... I suspect I need a better ISP in the future. Any suggestions?

Since a "denial of service" attack is generated from outside the site, there may be little your host can do. (I have a feeling that you mean "server host", not "Internet Service Provider", when referring to the entity hosting your site.)

What does your server admin say?

Eliz.

Yes, I mean server host. They say shutdown apache until the attack stops.

They also want to change the server's IP address in case the IP rather than host is being attacked.

Another hosting company said they could potentially filter packets using some routing device but at a very high price.

> They also want to change the server's IP address in case the IP rather than host is being attacked.

The fact that they don't know indicates a state of cluelessness...

Start looking for a host that provides a basic firewall between your server and the network. Such a device can easily block most DOS attacks, and should not cost *you* anything, since the host should do it to protect all of their customers (and themselves).

Jim

[edited by: jdMorgan at 9:22 pm (utc) on Aug. 25, 2007]

My server host company is Verio. Rackspace quoted me for very high price for an Intrusion Detection System (IDS).

Can anyone recommend a hosting company who can deal with a DoS attack?

We use them ourselves but Rackspace quotes a very high price for pretty much everything.

The attack is continuing now for roughly 60 hours.

I found 11,000 unique IP addresses in 7M of log files but there was 600M of log files total for that day by the time apache was stopped.

I am moving my server to rackspace but that will take a few days.

Rackspace can offer a firewall but can any firewall be configured to resist this type of an attack?

Can someone please explain to me what is Dos Attack and how it is done?

I received a message from the attacker. They want me to make changes to my site before the attack stops. What would you do?

DoS means Denial of Service. In my case, my web server is being saturated with thousands of fake requests making it impossible for legitimate traffic to get through.

A DDoS attack is a distributed denial of service attack where the attacker commandeers hundreds/thousands of computers to send requests.

My server is undergoing a DDoS attack. Here is a diagram I found:

*----------*
¦ ¦
¦ Attacker ¦
¦ ¦
*----------*
¦
¦
*----------*
¦ ¦
¦ Client ¦
¦ ¦
*----------*
¦
(commands to nodes)
¦
*------------*------*------*------------*
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
v v v v
*----------* *----------* *----------* *----------*
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ Node ¦ ¦ Node ¦ ¦ Node ¦ ¦ Node ¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
*----------* *----------* *----------* *----------*
\ \ / /
\ \ / /
\ \ / /
(any number of floods or attacks)
\ \ / /
\ \ / /
\ \ / /
V V V
*-----------------------*
¦ ¦
¦ Victim ¦
¦ ¦
*-----------------------*

How can they make thousands of fake requests?

attacker commandeers hundreds/thousands of computers to send requests.

Is it literal computers? And how they will do it, let say they have 2000 computers, will open a browser with each computers and surfing your site?

I received a message from the attacker. They want me to make changes to my site before the attack stops.

You have obviously upset somebody with what you published (not necessarily a bad thing).

What would you do?

It would depend on what was published and what was in the message...

They want me to make changes to my site before the attack stops. What would you do?

If it were me, my blood would be boiling at this point, and I would be spending every waking hour on plotting ways to counterattack, either online or offline. But that's me.

I would be spending every waking hour on plotting ways to counterattack

That would be me too, but with respect to the OP, the details of this case remain unclear.

To look at it another way, if I found a website that:

a) Copied my content and refused to remove it

b) Falsely and deliberately accused me of criminal activity

c) Faked images or video intended to defame my character

then my ways of counterattack might include methods that I would normally condemn.

If the OP is an innocent victim he surely has my sympathy.

The contents of the attacker's message would make interesting reading.

I recommend that webmasters consider what they will do and have a plan in place when a single person with DDoS knowledge decides they don't like the content on your site.

I received a message from the attacker. They want me to make changes to my site before the attack stops.

Sounds like blackmail to me. Not that it will do any good, but since you've been contacted by the initiator, you may want to try getting the local authorities involved.

Unless, of course, you did something unlawful to provoke the attack in the first palce (like scraping someone's content).

It is interesting how the discussion drifts towards me rather than on how to stop the attack.

This is one reason why I recommend having a plan in place because there won't be much help when it happens. It's better to be prepared especially having the right infrastructure in place beforehand and a good hosting company. I am making the changes now.

Expat, It's drifting towards you because so far we are a tad short on details. Can you confirm that the content is not scraped? Because if it is, you might do A to prevent a DoS attack but if it is not scraped, you might do B to prevent a DoS attack. It is crucial to the discussion.

It's not an issue with another webmaster such as scraping. I am caught between two types users on my site.

There will be complaints no matter what I do.

There will be complaints no matter what I do

Complaints are one thing, DDoS attacks are another.

You may not want to elaborate on the details, but from what you say the message you received sounds like a clear case of extortion that should probably be addressed through legal channels.

A move to a decent webhost should deal with the actual attacks.

This is news, and if you're feeling brave you might want to hold your ground and issue a press release quoting the exact threat. It obviously depends on the specifics of your situation, but it could benefit you in the long run, once you have protection in place and/or the attacker eventually gets bored.