

How we have handled a DDOS attack from a dumb program - iseff
http://blog.openomy.com/2008/04/dealing-with-dumb-programs-or-why-our.html
I thought some people here might find this interesting. Our site has been slow recently, and it's due to a dumb program causing essentially a DDOS attack against us. Here's some of the things we've done to alleviate the situation.<p>I'd also love to hear from others who have had luck with other techniques!
======
apathy
Having had to deal with shit like this before, I can aver that blackholing the
offenders is the highest-performance option.

In other words, _you did right_. Look into mod_dosevasive if you want to
automate this sort of thing (and rechecking IPs every few
hours/days/whatever). Note however that if you have a malicious attacker they
will forge headers; of course if they're really malicious they'll just SYN-
flood you like that.

~~~
iseff
Thanks! Good to know, and I'll definitely look into the mod_dosevasive.

------
iseff
I thought some people here might find this interesting. Our site has been slow
recently, and it's due to a dumb program causing essentially a DDOS attack
against us. Here's some of the things we've done to alleviate the situation.

I'd also love to hear from others who have had luck with other techniques!

~~~
technoguyrob
Although this isn't an effective tool for websites that actually sell
something, a community I was part of a few years ago was experiencing a very
malicious and heavy DDOS for almost 30 hours, so during 2AM CST they set their
DNS to forward their domain name to 127.0.0.1. The attackers ended up DDOSing
themselves. When they set the DNS back properly, for some reason the attackers
had stopped. I guess they felt too ashamed to try again!

EDIT: It might also be possible, of course, to blacklist certain IPs and force
those to be redirected to their localhost.

------
patrickg-zill
I can't get to your site to read your article, it is slow at the moment...
however I do recommend that in addition to blackholing the offending IPs, you
make sure that your provider is aware of it as well. They are able to do more
drastic things such as dropping all traffic at their border router, for
example.

------
bluelu
I don't know for sure (read about it some time ago), but I think iptables has
somewhere an option of banning ips if they make more than a certain number of
request for a given time period. You might try that out?

