My main clients site is under DOS attack

showbizvet

showbizvet

Power Member
Joined
Oct 1, 2008
Messages
799
Reaction score
266
When I first started doing SEO, I found a client who had a site about penny stocks. He's still my client over 1 year later. Here the thing.... We (and my outsourcers) got to page 1 on Google, but now (as of today) his site is under DOS attack.

Code: 
Hello,
I apologize, but were were forced to stringblock the 
domain sitename.com as it appears that this particular 
site is under attack, which was causing an issue for our 
other clients.  Although we are currently attempting to 
mitigate the attack, likely this firewall block will need to 

remain in place until the attack subsides.  I apologize a
bout any inconvenience this may have caused.Sincerely,

Shaun L.

I'm sure someone, either a competitor or someone who received a lousy stock pick hired some Russians or Chinese to do the DOS attack, my question is what can we do about it? Is there anyway to find out who is doing the attack? I'm guessing no. While neither he nor I want a vendetta, we do want it to stop. Was thinking if we could find out who is doing it (meaning the actual attackers) we could pay them to stop.

Now then, if we did find out the person who hired them... well that's another story.

Any suggestion appreciated.
 
Last edited:
Advertise on BHW
hi showbizvet

if possible check your logs and find out exactly whats happening, it could be that in addition to certain script attacks your hosting may not be upto par with its security, find out the IP range the attack is coming from and if possible block the ip range...

sounds strange that your client should be getting attacked unless hes running some outdated cms/scripts that has known vulnerabilities - unless of course your niche is really that competitive and cut throat...

hth
 
showbizvet said:
When I first started doing SEO, I found a client who had a site about penny stocks. He's still my client over 1 year later. Here the thing.... We (and my outsourcers) got to page 1 on Google, but now (as of today) his site is under DOS attack.

Code: 
Hello,
I apologize, but were were forced to stringblock the domain sitename.com as it appears that this particular site is under attack, which was causing an issue for our other clients.  Although we are currently attempting to mitigate the attack, likely this firewall block will need to remain in place until the attack subsides.  I apologize about any inconvenience this may have caused.Sincerely,

Shaun L.
I'm sure someone, either a competitor or someone who received a lousy stock pick hired some Russians or Chinese to do the DOS attack, my question is what can we do about it? Is there anyway to find out who is doing the attack? I'm guessing no. While neither he nor I want a vendetta, we do want it to stop. Was thinking if we could find out who is doing it (meaning the actual attackers) we could pay them to stop.

Now then, if we did find out the person who hired them... well that's another story.

Any suggestion appreciated.
Click to expand...

Stop lying. its not DoS its DDoS. DoS has not taken a site/server out since 90's. Also if you are using a vps/shared then your site is probably not under DDoS but the someone that has the same server as you is.

What you can do is go to the ip logs when the server comes back up, and track the ips (this ofcourse is if it was http flood, if its syn,tcp,udp, then you will need to do some more digging within your server to find the ips. Then add those ips to the ban list, and then try to google for the ips and see if anything comes up (will usually come up on threatexpert or something). You will then need to find the c&c of the botnet and report it or take it out. But the chances of this happening is slim to none, even if you some how find the c&c, its most likely on a bp server and reporting wont do anything.
 
If you pay them they will rinse and repeat
 
Unfortunately it sounds like your client is using a shared hosting platform, and not a VPS solution.

There really isn't much you, or your client can do to stop, or even trace the DDoS attack.

Your clients provider should be able to firewall the offending IP address ranges, and stop the DDoS attack. But even then it could still cause harm to the other users of their service because the firewall has to filter all those requests, and depending on the size of the botnet it could be into the hundred thousands which would just eat UP processing power on their firewalls.

What i would suggest is asking your clients provider to put him on a new IP address, and then redirect your clients DNS to 127.0.0.1, or you can get fancy, and point the DNS at some of your clients competition, that is up to you.

Depending on the return your client is getting on his website, it may be worth it to purchase a VPS.. That would give you MUCH more control over these attacks.

Do you know what type of attack the offenders are using? Are they flooding the httpd with GET requests, or are they using sheer bandwidth?

Maybe you can get a list of the IP addresses involved in the attack and contact some real "Black Hat" friends of your to investigate some of the machines, and get a copy of the malware.

Good luck, and if you have any more info let me know.. Maybe i can help you out.
 
IAmAbomination said:
Unfortunately it sounds like your client is using a shared hosting platform, and not a VPS solution.

There really isn't much you, or your client can do to stop, or even trace the DDoS attack.

Your clients provider should be able to firewall the offending IP address ranges, and stop the DDoS attack. But even then it could still cause harm to the other users of their service because the firewall has to filter all those requests, and depending on the size of the botnet it could be into the hundred thousands which would just eat UP processing power on their firewalls.

What i would suggest is asking your clients provider to put him on a new IP address, and then redirect your clients DNS to 127.0.0.1, or you can get fancy, and point the DNS at some of your clients competition, that is up to you.

Depending on the return your client is getting on his website, it may be worth it to purchase a VPS.. That would give you MUCH more control over these attacks.

Do you know what type of attack the offenders are using? Are they flooding the httpd with GET requests, or are they using sheer bandwidth?

Maybe you can get a list of the IP addresses involved in the attack and contact some real "Black Hat" friends of your to investigate some of the machines, and get a copy of the malware.

Good luck, and if you have any more info let me know.. Maybe i can help you out.
Click to expand...

VPS usually doesn't have a dedicated ip. They are usually 3-4 of them on the same ip
 
gh0st said:
VPS usually doesn't have a dedicated ip. They are usually 3-4 of them on the same ip
Click to expand...


That all depends on who your VPS is with, and if you paid for a dedicated IP. It's a hell of a lot easier to get a new IP address on a VPS than it is on a shared hosting box though.
 
Thanks for the good info...and of course I wasn't lying ghOst, but you are of course right on the terminology.

He's on hostgator, shared hosting. the niche is penny stocks and yes the competition is immense, didn't know about the cutthroat part till now.
 
showbizvet said:
Thanks for the good info...and of course I wasn't lying ghOst, but you are of course right on the terminology.

He's on hostgator, shared hosting. the niche is penny stocks and yes the competition is immense, didn't know about the cutthroat part till now.
Click to expand...

lol i was just kidding. but yea i doubt its him that is getting ddos, but the people that he is sharing the hosting with.

Determine what sites are on the same server (there is some tools online that will help you in that), and see if any of the sites are related to hacking or anything like that.
 
gh0st said:
lol i was just kidding. but yea i doubt its him that is getting ddos, but the people that he is sharing the hosting with.

Determine what sites are on the same server (there is some tools online that will help you in that), and see if any of the sites are related to hacking or anything like that.
Click to expand...


Judging by the first post, it sounds like it really is directed at his client. The host wouldn't block EVERY domain on the box... Looks like his was pin poinited, and since he doesn't have a dedicated IP it's more than likely an HTTP flood which in that case once the box comes up, you'll be able to get the access logs and maybe compromise a host (If thats what you do) ;) and get a copy of the mal-ware, then report the server/servers/dns.

For now i would def. change the DNS to another IP or localhost...
 
IAmAbomination said:
Judging by the first post, it sounds like it really is directed at his client. The host wouldn't block EVERY domain on the box... Looks like his was pin poinited, and since he doesn't have a dedicated IP it's more than likely an HTTP flood which in that case once the box comes up, you'll be able to get the access logs and maybe compromise a host (If thats what you do) ;) and get a copy of the mal-ware, then report the server/servers/dns.

For now i would def. change the DNS to another IP or localhost...
Click to expand...

yea it would... the domains have nothing to do with it. They are just pointed to 1 ip since its shared. for example

domain1 -> 54.44.44.44
domain2 -> 54.44.44.44
domain3 -> 54.44.44.44

etc..

Even in http flood, the ip is the thing that is getting ddosed therefore the whole server goes down. The domain or the dns in ddos has nothing to do with it, its the host that has problems.

If you were to setup a local dns + local server, and i was to ddos the dns that you have setup, then your computer would crash or the internet would blow out, not the domain.
 
So I'm skyping with my client now and in the moring I'll call Hostgator and see what kind of solutions they offer. My guy is game to go dedicated IF necessary, he's getting a lot of traffic now... We do have multiple domains on the site, that is of course no problem if it's dedicated, but I have little experience with VPS. Not sure if you can do addon domains, but I'm guessing you can.
 
gh0st said:
yea it would... the domains have nothing to do with it. They are just pointed to 1 ip since its shared. for example

domain1 -> 54.44.44.44
domain2 -> 54.44.44.44
domain3 -> 54.44.44.44

etc..

Even in http flood, the ip is the thing that is getting ddosed therefore the whole server goes down. The domain or the dns in ddos has nothing to do with it, its the host that has problems.

If you were to setup a local dns + local server, and i was to ddos the dns that you have setup, then your computer would crash or the internet would blow out, not the domain.
Click to expand...

Well, the hosts will see what directory the requests are being sent too... So they can track it back to user/account/parked domain..

The reason i suggest changing the DNS to localhost is because the attackers could be attacking the DNS (Which resolves to the IP address) , and not the IP address itself. You change the NS record to resolve to localhost and there is a possibility the bots DNS cache will update, and they will DDoS their own localhost or the bots will HALT.

Unfortunately i doubt hostgator has mod_evasive installed or the requests would have just been firewalled.

mod_evasive is awesome btw :sombrero:
 
Go get a cheap server at thePlanet they will block the DDOS at their router.
 
So here is the latest in my saga.

As of right this minute the site is back online and this is what I heard from HG.

Code: 
Hello,

There's actually very little that can be done to 
prevent DDoS attacks.  By their very nature 
they're difficult to block, and impossible to stop.  
Whenever one of our customer's sites is under attack, 
we first attempt to isolate the attack traffic.  If this 
doesn't work, we then block requests for the site.  The 
best I can suggest is upgrading to a dedicated server.  
This will prevent us from taking your site offline if it's 
causing a problem, as there will be no other customers 
on the server to worry about.  You can read more about 
our dedicated server offerings at 
http://www.hostgator.com/dedicated.shtml.

Your site is online.  Please let us know if you have any other 
questions.

The cheapest HG dedicated is $174, but the $219 a month one looks like a better performer. Still though, they don't offer or mention DDOS protection so we'd need to get some sort of outside protection.

Then (in the meantime) I heard via PM from a BHW member about www.servint.net and this is what I heard from them

Code: 
Thank you for taking the time to contact us regarding 
your interest in our hosting solutions.  We currently have 
moderate-stage DDOS mitigation in place. This includes 
not only the ability to block or null an attack, or significant 
parts of the attack, from our network, but our routers 
actually are able to trigger mitigation within the routers 

of our key transit providers. This is crucial when an attack 
comes in from various parts of the world with the intent to 
overload the PPS flow at our core or border routers.

Beyond this information, we like to keep our security measures 
secret so we can deter others from trying to find a way around 
them.   I am sure that as a client you will be able to appreciate 
that we keep these details somewhat guarded for the overall 
benefit of our network and the clients we host.

Please let me know if I can be of further assistance.

Their costs for VPS vary, but the $90 package is what is recommended. Since our site is backup, we can breathe and think, but no doubt whomever paid for the DDOS attack has run through their money and the Russians or Chinese (or whomever) have ceased for the moment, but no doubt it will happen again.

Re the cookie method suggested by Crooker that sounds promising, but my client will need to make that decision.

edit.

In looking at the dedicated from HG I see

- DDOS Protection
- Automatic Updates
- Virus Protection
- Firewall Included

I'm guessing that is not offered on the shared hosting like we currently have. I haven't checked Servint directly, but based on their email to me, seems they offer much the same, but possibly at a cheaper price.
 
Last edited:
here is additional follow up with HG when I asked about their DDOS (got it right now ghOst) protection on dedicated hosting, as compared with shared hosting.

Code: 
No, it is not different, but we rarely employ it on our shared 
hosts due to some of its side-effects.  The DDoS protection 
system is basically an implementation of Cisco Guard.  It basically 
analyzes incoming packets for attack patterns, and blocks packets
 that match known patters.  The problem is that with some types 
attack, such as the one that was recently conducted against your 
site, it can be difficult to differentiate normal traffic with attack traffic.  
What ends up happening is that normal, legitimate traffic gets blocked 

alongside the malicious traffic.  This translates to packet loss and 
timeouts for your visitors.  This is why it isn't kept on all the time.

However, for more easy to detect attacks, like syn flood attacks and 
408 attacks, the DDoS protection system works great, as it's able to 
effectively tell the difference between malicious traffic and legitimate 
traffic.

If you have any other questions, please let us know.

so at this point I'm not sure whether to switch hosts or not, but it would seem I MUST upgrade to dedicated if we stay with HG. From a cost standpoint it would seem VPS is the best option.
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Networking Downloads

Marketplace

Content / Copywriting Hosting Images, Logos & Videos Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design Misc

Making Money

Affiliate Programs Hire a Freelancer Making Money Pay Per Click Site Flipping

BlackHatWorld

BHW Merch Forum Suggestions & Feedback Introductions Lounge Dispute Resolution

Other

Domain Name Forum IM Journeys Web Hosting Newsletter
Back
Top