Experiencing HTTP based DDoS attack

[Memoire]

Hi,

My site has not been accessible for 4 days now, the message from the provider stated;

"The server is under a severe HTTP based DDoS and there are roughly 400-600 connections from random IP's coming up. We are blocking everything as it comes in. We have entered your server in behind our DDoS protected network."

My concerns are;

a) If they blocked incoming IP's, and most likely will continue to do so, regular visitors won't get access and search engines also won't get access. The provider doesn't confirm these points.
b) While they have my local IP and say it is not blocked I still can't access my site. Also can't access site from public computers (tested unsuccessfully from internet cafes and different local IPs).
c) Monthly visitors are 500,000 and I have No1 ranking on Google for some of my sub-domains. Curious if this blocking of IP's will effect the Google ratings.
d) Is there any way to trace the original source of the attack?

Any information on this would be most welcome.

[google junky]

I'm assuming you are talking about http://stevenredhead.com
I am unable to view it.
I did do a trace on it from here. It came up with no problems until I get to your site.
IMO you have a real problem that needs to be resolved pretty quick.

I have no solution. Your host should already know what they are doing. If they can't handle it then it is time to move to a new host.

[kgun]

The first link in this http://www.webproworld.com/internet-...tml#post400363 thread can be of assistance. It helped me. I changed hoster, but the hoster can be innocent. There are bigger sharks in the ocean than a small hosting company.

[google junky]

I did some more searching on your situation.
You may want to read this.

The Netblock Owner(HostDime.com, Inc.) for your domain
http://status.hostdime.com

Seems they have been posting information about what you are experiencing.
Just some extra info for you whether it helps or not.


Good luck

[wige]

a) If they blocked incoming IP's, and most likely will continue to do so, regular visitors won't get access and search engines also won't get access. The provider doesn't confirm these points.

Denial of service attacks affect all sites on the target server. Even if you block the malicious traffic, the mere existence of the traffic will slow the network traffic from legitimate sources to a crawl by using up a portion of the available bandwidth. Many times, the only option for the host is to use a hardware firewall to block the bad requests to reduce the server workload, but legit traffic may still be unable to bypass the logjam and reach the server. In that case, your site may as well be offline.

b) While they have my local IP and say it is not blocked I still can't access my site. Also can't access site from public computers (tested unsuccessfully from internet cafes and different local IPs).

This is to be expected. If the network is overloaded with bad requests, yours may simply take to long to be processed and time out.

c) Monthly visitors are 500,000 and I have No1 ranking on Google for some of my sub-domains. Curious if this blocking of IP's will effect the Google ratings.

Google would probably say no. They do expect network outages and other issues to happen, and there is a tolerance built into the system to allow for such outages. Your site may be filtered out of the results until such time as Googlebot can reconnect (Google is all about the user experience when it comes to their SERPS, and they won't want to serve a link to a server they know is unavailable) however during this filtering your site maintains it's rank. If the outage is prolonged, however, your rankings could slip as you start losing credit from inbound links. After a certain amount of time, Google could consider your site "broken" and devalue your links, which would reduce your page rank and slowly drop your site in the rankings. The rule of thumb I have heard is 24 hours.

d) Is there any way to trace the original source of the attack?

For law enforcement, the ISP, and the hosting company if they are competent, yes. For you as a customer, probably not.

[wesleyw]

If you are familiar with the apache config you can do some things that will help

1) turn keep-alive off

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to " On" to deactivate.
#
KeepAlive On

keepalive helps real browsers load pages faster, but it also can hurt you in a DDOS attack because every connection stays active for however many seconds your timeout is:

so you could also try changing your time out to 1 second

# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 1


I would check your logs and see where these IPs are coming from - if they are in a similar subnet you could block traffic, for instance if they are all coming from 207.23.* - you could put a block for that range - but if its a zombie attack it could be Ips from anywhere

maybe you got mentioned on slashdot...

if your page isnt doing a lot of DB calls, eg if its just straight HTML the server should be able to handle a couple hundred request simultanously - if you are running wordpress or some othe blog/cms you are probably killing the server and dont have enough CPU cycles to handle it - if it doesnt stop soon you could go in and write a script that sets a cookie then checks for the cookie, if it doesnt get the cookie it just throws a simple error and dies - then your not doing DB queries for every bogus page load.

dont see any reason for anyone to be attacking you, is this a shared server? maybe the target is actually a different site on the same box - might want to consider moving to another host

[SuperHatz]

wesleyw has posted the best answers I have seen.

Having a shared box with others, is a real problem.

I would request my hosting company - large or small - to provide a compressed copy
of my web site and database from either a backup copy from a day or so before the incident.

I would purchase a new host(different company) and purchase Class C IP address of your own.

Then sign into your domain registrar and point to your new host(nameserver). You should have
your site back up and running in a matter of minutes. If you are the target of a DDos attack, then you
can go back to the registrar and park your domain - then log back into your new host and
examine the log records. Turn on some blocks and then un-park your domain to point back
to your new host. I think that you may find that you're not the source of the attack and you
will have your site back soon.

If you are being singled out for attack - which I can not imagine why, it would be YOU,
then I would start by viewing the very first incoming log records. I would do exactly as
wesleyw stated and drop IP network blocks one by one - until the non offending traffic was able to
gain access your site again.

Realistically, you should have been able to have your site back up in a matter of eight hours,
but days? -> means that someone is confused and not making the right decisions, quick enough.

Of course, that is simply my opinion!

We all wait for your resolve. Please do not allow this thread to sit here with no notice of resolve.
Far too often in the IT world - we learn of all the tragic problems, but rarely hear about things when
they are fixed or working well.

Best Regards.

[Synonymizer]

This happened to me with 4 different domains. The culprit is probably a virus infecting zombie machines.
There are a number of companies offering servers prepared to resist the attack. Look for them under "dDos Hosting".

[morestar]

I wouldn't worry about your rankings or visitors just yet. i don't believe you have only 24 hours, i'd say it's much longer. the reason being is that its in google's best interest to serve pages to visitors that are relevant etc. so once the site comes back live (not after too tooo long) the site will still be what it was when it was #1 (hopefully) and again google would rank it.

for sure you'll start to slip in different areas of search but I think you've got much more time - I'd even gamble more than 6 weeks. corrent me if i'm wrong.

btw your site was still down now at 6:46pm EST.

[datetopia]

1. If you can't access it, we can't access it the your visitors and search engines will not access it either. Search engines will eventually get you pages back but this can take a lot of time.
2. 4 days is too much. It usually takes less than 1 day for domain name servers to propagate if you change hosts.
If you have backups buy another hosting space (monthly), change name servers, copy files and database there and contact your current host to notify you when things get back to normal.