It requires special infrastructure and skills.

I'm aware, I used to be a partner in a hosting company for years, I've done more than a few DDOS mitigations. :)

Most of the time we were able to shut down a DDOS ourselves but on a few occasions when it was too big for us to handle, we had some customers that were high value targets, we simply called the upstream provider (like Level3) and they took care of the problem. Sometimes resolution was just a few minutes, in a couple of really bad cases a couple of hours, but it was always resolved.

Today it doesn't require so much skill, except to install one of the many off-the-shelf hardware or software solutions or simply find hosting solutions that provide it already.

Like I said, if your host can't do it shop around, it ain't rocket science and there are lots of DDOS solutions and services currently available.

Yes, there are some basic things they can do like improving server performance but that is not the same as DDoS protection

That's not what Rackspace claims:
[rackspace.com...]

Rackspace DDoS Mitigation Services, also known as Preventier™, is a unique DDoS hardware-based program that ensures customer uptime in the event of a DDoS attack. No other hosting provider has combined three such disparate technologies to create such an all-encompassing protection system for their network. From network-wide packet scanning through granular traffic analysis right down to server-level anomaly detection, three layers of detection identify and filter hostile traffic 24x7x365. In effect, all DDoS processing is offloaded from your configuration to a Rackspace infrastructure allowing you to continue to do business. Our DDoS Mitigation Services allow you to choose the level of service you need at the price you want to pay.

They just didn't say it was free.

Which hosts can handle a DDOS ? I have used the best and not found anyone claiming to do anything for DDOS, it would be a bit of silly claim really.

Disclaimer. You acknowledge that the PrevenTier service may not successfully mitigate all attacks, and may also result in some legitimate traffic being diverted from your website(s)

Its called the £350 p/c/m power button

@incredibill

Sure, if you have the technical skills or are considered a high value target by your hosting service(!) then I guess you don't have a problem.

The only services I know of that can stop a true DDoS attack are Prolexic and Gigenet. If you have names of other services or hosting providers who do the same, please let me know.

Preventier is not part the basic Rackspace hosting service. It costs $5000.00 just to setup and they make no guarantee. Again, if you know of a hosting service that provides DDoS protection as part of their basic service, I'm all ears.

I am really surprised that they, 1) had the nerve to ask you and 2) had the drive to follow through.

If you are in the UK I am not sure the FBI would be interested unless you could show that the request came from within the US border.

You may have to start with the local (to your server) authorities, and then just make sure it gets elevated to the proper place.

You should 100% for sure contact the authorities. You defiantly shouldn't poke the bear though. This isn't like a 419 Eater where they have no recourse.

This is happening to you because they want money. What you don't want is to give them motivation outside that to continue to attack you. If they are doing it for money they will stop when they are sure they won't get any. If they are doing it to get back at you then who knows when/if they will stop.

Prepare yourself for the next wave?

IP block? it's that simple...

I would tell them to go pound dirt -real nasty like..

IP blocks don't work. DDOS attacks come from hundreds if not thousands of different IP addresses. Typically from a zombie network of hacked machines around the world.

Even if you were able to block all the IP addresses, you are blocking unsuspecting victim macbines from your site in the future.

Can you post a sample of the request/user-agent they are using from your log file?

Even if you were able to block all the IP addresses, you are blocking unsuspecting victim macbines from your site in the future.

You don't leave the IPs blocked forever, at least I never have, just long enough to mitigate the attack and wait for them to go away.

Most often there's some other flaw in the attack that allows it to be filtered by the type of traffic, not the traffic source, which basically ends the problem without blocking IPs.

I've had to actually block entire countries like russia, ukraine, china, etc. before to stop an attack and I still block china just to keep the spam out which turned into a near DDOS on it's own!

All I've ever had to do during a DDos attack was create a ticket via my host's customer support portal, and within several minutes they'd put the site behind a DDos mitigation appliance called, Cisco Guard, for however many hours it took for the attackers to get bored and move on. There's never been any charge for this service.

I'm really surprised that people are having trouble finding Hosting Providers that can provide basic DDOS protection. From the sound of it, the guys trying to DDOS you are rank amateurs, the level of traffic you are describing is a drop in the bucket compared to a hard-core DDOS.

As has been mentioned, protection against this type of DDOS is basically an exercise in un-boxing some hardware, plugging it it, and going back to drinking coffee.

Without endorsing, here's a link to one solution:
[h10163.www1.hp.com...]

Cisco and Juniper Networks also provide out of the box solutions.

The advertising page doesn't mention DDOS protection, but that hardware works very well in that capacity. I've accidentally blacklisted myself working from home and running Macro based tests against our services (which can look a lot like an intrusion attempt/single vector DDOS).

Really easy to manage. Hosting providers too dense/cheap/lazy to provide basic DDOS protection don't deserve to be in business.

A truly massive DDOS is quite hard to protect against, but that's not what you're facing. Any DDOS that can be mitigated by moving to a higher performance server is small time.

I'm really surprised that people are having trouble finding Hosting Providers that can provide basic DDOS protection.

By all means, if you know of hosting providers that provide DDoS protection that you know actually works, please post them. There's no need to keep it a secret. I have posted two services that I know work.

Could you not just try and find out roughly from which IP range the attacks are coming (should be easy to see in any web stats program) and then redirect all requests from that range to a 2KB html page with a captcha on it ?

Funny how I was reading the start of this thread yesterday (havent read the rest of the thread) and today my server is now getting overloaded with 10,000 page request a minute.

I identified the website, and wrote a little routine to log number of requests per IP, since all pages were going through one include file. After 20mins this was the result (removed real users):

95.223.185.27 = 24245
88.73.234.51 = 24120
84.31.132.251 = 27074
84.187.41.186 = 21270
79.218.82.148 = 17051
91.34.190.148 = 19538
84.133.197.81 = 15318
93.130.8.138 = 17911
84.44.142.101 = 25154
78.55.195.182 = 17959
217.232.133.198 = 18500
80.140.224.179 = 15501
94.220.142.18 = 21691
84.188.251.187 = 19924
93.222.35.146 = 24361
92.205.113.104 = 1809

I then just add a few more lines of code to block them, which returned the server back to normal operation.

Im using an IIS server, Dont know if it has already been mentioned, but I know I can download this patch somewhere which does harden it against real DOS attacks.

A free simple Linux firewall that is compatible with WHM/Cpanel is CSF.

CSF has a function which tracks requests per minute and can temporarily or permanently ban an IP that goes over your preset limit.

All those posts for different IDP/IPS and "Trademarked" DDOS filters make me laugh, they are just modern packet filters with a catchy name. The security industry sure knows how to takle money off the uninformed.

Some store the access logs and filters on the same device and when scanned have out of date O/S (Non M$ of course) with known vulnerabilities!

dosarrest.com is a service I have used with success before. They can stop the attack within minutes! I would also report everything to the FBI and local Police (in the town where your server AND business is).

@incrediBILL Has good advice. Upgrading to high performance servers , while a nice gesture, is not going to do anything in the face of a full fledged DDOS attack.

I just got out of another DDOS last week and i can tell you what i've learned so far:

1- Server Side Measures (linux):

Put your server on defcon 3 until the attack subsidies:

- Install DDOS Deflate and set it to a lower limit for connections per IP. DDOS deflate is a cron job that bans IP's that exceed a certain connection limit.

- Install CSF/LFD and also put it on lock down mode , specially stop answering ICMP requests and considering your customers are mainly from the EU , block suspicious country IP's based on GEOIP info (integrated in CSF).

- Minimize processes running on your box for the duration of the attack to free-up resources

Depending on the depth and strength of the attack , server side measures can be enough to get you through it, but for a full fledged attack you need to move mitigation as far up the network level as you can.

2- Network Measures :

- Most sophisticated hosts have TMS (Threat management systems). Basically very expensive routers than can do pattern identification and filtering at the gigabit level, something your box / average commercial firewall will not be able to handle.

You need to contact your host and tell them to route your traffic through their TMS system.

Monitor your box and as DDOS deflate updates it's list of banned IP's supply these ip's to your host, so they can block them on the network level, freeing your box from having to deal with the requests completely.

Then clear your deny list and repeat, within 24 hours you should have the most offensive IP's on the network blacklist and the hosts TMS should start recognizing patterns and auto banning the most havoc wrecking of IPs.

At this point the attack might continue , eventually as the attacker's resources get blocked and recognizes that your box is still doing fine (site is up), he'll stop , try to salvage whatever bot ip's he still has under his control and that haven't been blacklisted yet for his next victim.

3- ** KEEP IN TOUCH WITH YOUR CLIENTS **

The worst of a fallout of an unmitigated DDOS attack can present it's self in terms of customer expectations not being met. Customers see your site is offline, customers dont get emails answered, etc..
Try to reach out to your clients (tweet, facebook, call , etc..) and tell them what's going on. This is the single most important step to manage client's expectation and minimize the financial fallout from a DDOS attack that can last weeks after the attack has stopped !

4- Dont give in.

No matter what you do , don't pay up. You'll be the new donkey to ride on IRC channels.

5- Once the attack is over relax security measures

The measures above will 100% block out some good traffic (Google bots, Syndication scrapers, etc..) . While google bot should be the last thing on your mind during a DDOS after the attack is done, you want it to crawl your site to it's heart's content.

Good luck and god speed :)

By all means, if you know of hosting providers that provide DDoS protection that you know actually works, please post them...

Apologies, but I'm not keeping track of hosting services anymore - we manage our own infrastructure.

My surprise comes from the fact that we're a relatively small outfit and have mitigating hardware in place. We did this because we've had DDoS attempts against our services, and we quickly did the necessary research to find out how to deal with it, and haven't had an issue since. It's one of those nice pieces of tech that runs in the background and no one thinks about it anymore.

To me, if a small independent outfit like where I'm at can deal with it, it strikes me as sad that companies that act as "professional" hosting providers aren't.

My suspicion would be that it's cost related. The hardware doesn't come cheap (6 figures US$), but if you're in the business of providing a reliable web hosting, then it's an investment.

All those posts for different IDP/IPS and "Trademarked" DDOS filters make me laugh, they are just modern packet filters with a catchy name. The security industry sure knows how to takle money off the uninformed.

True, to an extent. The issue for a lot of companies comes down to "how many speciality boxes do we want our *nix admins to manage/update." Sure, it's possible to roll your own packet filtering box. But to keep it running and up to date requires man hours. There comes a point where your infrastructure grows to a level that the man hours cost of maintaining your own filtering exceeds the cost of just buying something off the shelf and plugging it in. This also applies to very large storage arrays and other nifty bits of tech that any *nix admin can build themselves. You can pay someone $$$ / year, or you can buy something, install it, and forget about it.

All those posts for different IDP/IPS and "Trademarked" DDOS filters make me laugh, they are just modern packet filters with a catchy name. The security industry sure knows how to takle money off the uninformed.

Assuming you are using a 3rd party hosting service, what is the solution by the "informed?"

You can resolve this with some scripting. How many pages can a normal user access on your site in a period of 3 minutes? 10? If the answer is 10 than a new page is requested every 1.8 seconds. Any IP address that access your site more than 10 times (or you decide what is normal for your site) over a period of 3 minutes should be blocked by firewall.

Heck, don't even respond to the email threat. Just report it to your local Internet crime department, toughen up your online presence and take the hit and laugh at the scum...

I had some DDoS issues last year and I use a small to medium boutique host in Singapore. He's a top notch guy who really knows his stuff and has his own space in a mainline datacentre in Singapore (my traffic is mostly from Asia). He worked together with me via MSN to mitigate the attack. He spent loads of time with me and as a result, won a customer for life.

Long and short, don't ever encourage these fraudsters with a response of any kind. Get a better host if they can't mitigate the attack with technical superiority. Use the experience to shore up your online assets.

And one more thing. IP blocking should be temporary. We release every blocked IP after 24 hours.

First, I'd find a better host that can mitigate a DDOS instead of just moving you to the "high performance server". Any host worth their salt should be able to put a stop to this unless it's using a very large botnet without repeating IPs, and even then it may not be that complicated depending on the nature of the attack. Why I say move to a better host isn't because of your attack, imagine they attack someone else on your shared server or on the network. If these guys can't mitigate your attack then you'll suffer when some other site is attacked as well.

Agreed. If your host is good, they should be able to quickly work upstream, even to the network carriers to shut this down. This is one reason why it's important pay a little more to go with a high quality host if you can't afford downtime.

We've only had it happen to our servers (which are colo) a few times, and it was pretty mild and short lived. But if we get a major hit, I know who I'm gonna call...