1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My main clients site is under DOS attack

Discussion in 'Black Hat SEO' started by showbizvet, Nov 6, 2009.

  1. showbizvet

    showbizvet Power Member

    Joined:
    Oct 1, 2008
    Messages:
    795
    Likes Received:
    260
    Occupation:
    IM
    Location:
    Tennessee and around
    When I first started doing SEO, I found a client who had a site about penny stocks. He's still my client over 1 year later. Here the thing.... We (and my outsourcers) got to page 1 on Google, but now (as of today) his site is under DOS attack.

    Code:
    Hello,
    I apologize, but were were forced to stringblock the 
    domain sitename.com as it appears that this particular 
    site is under attack, which was causing an issue for our 
    other clients.  Although we are currently attempting to 
    mitigate the attack, likely this firewall block will need to 
    
    remain in place until the attack subsides.  I apologize a
    bout any inconvenience this may have caused.Sincerely,
    
    Shaun L.
    
    I'm sure someone, either a competitor or someone who received a lousy stock pick hired some Russians or Chinese to do the DOS attack, my question is what can we do about it? Is there anyway to find out who is doing the attack? I'm guessing no. While neither he nor I want a vendetta, we do want it to stop. Was thinking if we could find out who is doing it (meaning the actual attackers) we could pay them to stop.

    Now then, if we did find out the person who hired them... well that's another story.

    Any suggestion appreciated.
     
    Last edited: Nov 6, 2009
  2. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    hi showbizvet

    if possible check your logs and find out exactly whats happening, it could be that in addition to certain script attacks your hosting may not be upto par with its security, find out the IP range the attack is coming from and if possible block the ip range...

    sounds strange that your client should be getting attacked unless hes running some outdated cms/scripts that has known vulnerabilities - unless of course your niche is really that competitive and cut throat...

    hth
     
  3. gh0st

    gh0st BANNED BANNED Premium Member

    Joined:
    Feb 7, 2009
    Messages:
    92
    Likes Received:
    47
    Stop lying. its not DoS its DDoS. DoS has not taken a site/server out since 90's. Also if you are using a vps/shared then your site is probably not under DDoS but the someone that has the same server as you is.

    What you can do is go to the ip logs when the server comes back up, and track the ips (this ofcourse is if it was http flood, if its syn,tcp,udp, then you will need to do some more digging within your server to find the ips. Then add those ips to the ban list, and then try to google for the ips and see if anything comes up (will usually come up on threatexpert or something). You will then need to find the c&c of the botnet and report it or take it out. But the chances of this happening is slim to none, even if you some how find the c&c, its most likely on a bp server and reporting wont do anything.
     
  4. whodi

    whodi Junior Member

    Joined:
    Nov 15, 2008
    Messages:
    171
    Likes Received:
    124
    Occupation:
    Full Time IMer
    Location:
    Chicago
    If you pay them they will rinse and repeat
     
  5. IAmAbomination

    IAmAbomination Newbie

    Joined:
    Oct 4, 2009
    Messages:
    34
    Likes Received:
    28
    Unfortunately it sounds like your client is using a shared hosting platform, and not a VPS solution.

    There really isn't much you, or your client can do to stop, or even trace the DDoS attack.

    Your clients provider should be able to firewall the offending IP address ranges, and stop the DDoS attack. But even then it could still cause harm to the other users of their service because the firewall has to filter all those requests, and depending on the size of the botnet it could be into the hundred thousands which would just eat UP processing power on their firewalls.

    What i would suggest is asking your clients provider to put him on a new IP address, and then redirect your clients DNS to 127.0.0.1, or you can get fancy, and point the DNS at some of your clients competition, that is up to you.

    Depending on the return your client is getting on his website, it may be worth it to purchase a VPS.. That would give you MUCH more control over these attacks.

    Do you know what type of attack the offenders are using? Are they flooding the httpd with GET requests, or are they using sheer bandwidth?

    Maybe you can get a list of the IP addresses involved in the attack and contact some real "Black Hat" friends of your to investigate some of the machines, and get a copy of the malware.

    Good luck, and if you have any more info let me know.. Maybe i can help you out.
     
  6. gh0st

    gh0st BANNED BANNED Premium Member

    Joined:
    Feb 7, 2009
    Messages:
    92
    Likes Received:
    47
    VPS usually doesn't have a dedicated ip. They are usually 3-4 of them on the same ip
     
  7. IAmAbomination

    IAmAbomination Newbie

    Joined:
    Oct 4, 2009
    Messages:
    34
    Likes Received:
    28

    That all depends on who your VPS is with, and if you paid for a dedicated IP. It's a hell of a lot easier to get a new IP address on a VPS than it is on a shared hosting box though.
     
  8. showbizvet

    showbizvet Power Member

    Joined:
    Oct 1, 2008
    Messages:
    795
    Likes Received:
    260
    Occupation:
    IM
    Location:
    Tennessee and around
    Thanks for the good info...and of course I wasn't lying ghOst, but you are of course right on the terminology.

    He's on hostgator, shared hosting. the niche is penny stocks and yes the competition is immense, didn't know about the cutthroat part till now.
     
  9. gh0st

    gh0st BANNED BANNED Premium Member

    Joined:
    Feb 7, 2009
    Messages:
    92
    Likes Received:
    47
    lol i was just kidding. but yea i doubt its him that is getting ddos, but the people that he is sharing the hosting with.

    Determine what sites are on the same server (there is some tools online that will help you in that), and see if any of the sites are related to hacking or anything like that.
     
  10. IAmAbomination

    IAmAbomination Newbie

    Joined:
    Oct 4, 2009
    Messages:
    34
    Likes Received:
    28

    Judging by the first post, it sounds like it really is directed at his client. The host wouldn't block EVERY domain on the box... Looks like his was pin poinited, and since he doesn't have a dedicated IP it's more than likely an HTTP flood which in that case once the box comes up, you'll be able to get the access logs and maybe compromise a host (If thats what you do) ;) and get a copy of the mal-ware, then report the server/servers/dns.

    For now i would def. change the DNS to another IP or localhost...
     
  11. gh0st

    gh0st BANNED BANNED Premium Member

    Joined:
    Feb 7, 2009
    Messages:
    92
    Likes Received:
    47
    yea it would... the domains have nothing to do with it. They are just pointed to 1 ip since its shared. for example

    domain1 -> 54.44.44.44
    domain2 -> 54.44.44.44
    domain3 -> 54.44.44.44

    etc..

    Even in http flood, the ip is the thing that is getting ddosed therefore the whole server goes down. The domain or the dns in ddos has nothing to do with it, its the host that has problems.

    If you were to setup a local dns + local server, and i was to ddos the dns that you have setup, then your computer would crash or the internet would blow out, not the domain.
     
  12. showbizvet

    showbizvet Power Member

    Joined:
    Oct 1, 2008
    Messages:
    795
    Likes Received:
    260
    Occupation:
    IM
    Location:
    Tennessee and around
    So I'm skyping with my client now and in the moring I'll call Hostgator and see what kind of solutions they offer. My guy is game to go dedicated IF necessary, he's getting a lot of traffic now... We do have multiple domains on the site, that is of course no problem if it's dedicated, but I have little experience with VPS. Not sure if you can do addon domains, but I'm guessing you can.
     
  13. IAmAbomination

    IAmAbomination Newbie

    Joined:
    Oct 4, 2009
    Messages:
    34
    Likes Received:
    28
    Well, the hosts will see what directory the requests are being sent too... So they can track it back to user/account/parked domain..

    The reason i suggest changing the DNS to localhost is because the attackers could be attacking the DNS (Which resolves to the IP address) , and not the IP address itself. You change the NS record to resolve to localhost and there is a possibility the bots DNS cache will update, and they will DDoS their own localhost or the bots will HALT.

    Unfortunately i doubt hostgator has mod_evasive installed or the requests would have just been firewalled.

    mod_evasive is awesome btw :sombrero:
     
  14. bklooste

    bklooste Newbie

    Joined:
    Oct 10, 2009
    Messages:
    16
    Likes Received:
    0
    Go get a cheap server at thePlanet they will block the DDOS at their router.
     
  15. BSON

    BSON Junior Member

    Joined:
    May 6, 2007
    Messages:
    191
    Likes Received:
    280
    Location:
    EU
    LOOOOOOOOOL :D
    And how they will know which reguest is ddos and whicha are not?
     
  16. showbizvet

    showbizvet Power Member

    Joined:
    Oct 1, 2008
    Messages:
    795
    Likes Received:
    260
    Occupation:
    IM
    Location:
    Tennessee and around
    So here is the latest in my saga.

    As of right this minute the site is back online and this is what I heard from HG.

    Code:
    Hello,
    
    There's actually very little that can be done to 
    prevent DDoS attacks.  By their very nature 
    they're difficult to block, and impossible to stop.  
    Whenever one of our customer's sites is under attack, 
    we first attempt to isolate the attack traffic.  If this 
    doesn't work, we then block requests for the site.  The 
    best I can suggest is upgrading to a dedicated server.  
    This will prevent us from taking your site offline if it's 
    causing a problem, as there will be no other customers 
    on the server to worry about.  You can read more about 
    our dedicated server offerings at 
    http://www.hostgator.com/dedicated.shtml.
    
    Your site is online.  Please let us know if you have any other 
    questions.
    
    
    The cheapest HG dedicated is $174, but the $219 a month one looks like a better performer. Still though, they don't offer or mention DDOS protection so we'd need to get some sort of outside protection.

    Then (in the meantime) I heard via PM from a BHW member about www.servint.net and this is what I heard from them

    Code:
    Thank you for taking the time to contact us regarding 
    your interest in our hosting solutions.  We currently have 
    moderate-stage DDOS mitigation in place. This includes 
    not only the ability to block or null an attack, or significant 
    parts of the attack, from our network, but our routers 
    actually are able to trigger mitigation within the routers 
    
    of our key transit providers. This is crucial when an attack 
    comes in from various parts of the world with the intent to 
    overload the PPS flow at our core or border routers.
    
    Beyond this information, we like to keep our security measures 
    secret so we can deter others from trying to find a way around 
    them.   I am sure that as a client you will be able to appreciate 
    that we keep these details somewhat guarded for the overall 
    benefit of our network and the clients we host.
    
    Please let me know if I can be of further assistance.
     
    Their costs for VPS vary, but the $90 package is what is recommended. Since our site is backup, we can breathe and think, but no doubt whomever paid for the DDOS attack has run through their money and the Russians or Chinese (or whomever) have ceased for the moment, but no doubt it will happen again.

    Re the cookie method suggested by Crooker that sounds promising, but my client will need to make that decision.

    edit.

    In looking at the dedicated from HG I see

    - DDOS Protection
    - Automatic Updates
    - Virus Protection
    - Firewall Included

    I'm guessing that is not offered on the shared hosting like we currently have. I haven't checked Servint directly, but based on their email to me, seems they offer much the same, but possibly at a cheaper price.
     
    Last edited: Nov 6, 2009
  17. showbizvet

    showbizvet Power Member

    Joined:
    Oct 1, 2008
    Messages:
    795
    Likes Received:
    260
    Occupation:
    IM
    Location:
    Tennessee and around
    here is additional follow up with HG when I asked about their DDOS (got it right now ghOst) protection on dedicated hosting, as compared with shared hosting.

    Code:
    
    No, it is not different, but we rarely employ it on our shared 
    hosts due to some of its side-effects.  The DDoS protection 
    system is basically an implementation of Cisco Guard.  It basically 
    analyzes incoming packets for attack patterns, and blocks packets
     that match known patters.  The problem is that with some types 
    attack, such as the one that was recently conducted against your 
    site, it can be difficult to differentiate normal traffic with attack traffic.  
    What ends up happening is that normal, legitimate traffic gets blocked 
    
    alongside the malicious traffic.  This translates to packet loss and 
    timeouts for your visitors.  This is why it isn't kept on all the time.
    
    However, for more easy to detect attacks, like syn flood attacks and 
    408 attacks, the DDoS protection system works great, as it's able to 
    effectively tell the difference between malicious traffic and legitimate 
    traffic.
    
    If you have any other questions, please let us know.
    
    
    so at this point I'm not sure whether to switch hosts or not, but it would seem I MUST upgrade to dedicated if we stay with HG. From a cost standpoint it would seem VPS is the best option.
     
  18. ClownBaby

    ClownBaby Power Member

    Joined:
    Oct 25, 2009
    Messages:
    581
    Likes Received:
    21
    dang good luck with that!