How to Mitigate Effect of DoS attack
-
As some of you might recall, my web site is on an Arvixe server that is undergoing a DoS attack. There are apparently several other sites on this server, all of which are down. They say they're adding filtering, but they've been at it now for 24 hours. This suggests to me that the server's performance would start to be adversly effected if they have to add hundreds/thousands of source IPs to the filter. To mitigate the affect, couldn't the network admin: 0) Identify the IP that's actually being attacked (I suspect that it's just one of the sites on the server that is actually being attacked) 1) Remove that IP from their internal DNS server 2) At the firewall, refuse all traffic to the affected IP I'm not a network admin by any stretch, but is the above described approach not viable?
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997Did you get a dedicated IP address? If yes, then I think the admin should be able to isolate the one being DOS'd. I wonder what other sites are on your server????? In any case, I'd call them, and insist on a ticket elevation. One time my server failed, and they had it replaced within two hours. What's their problem? My site seems to be unaffected (crossing everything I have).
Best wishes, Hans
-
As some of you might recall, my web site is on an Arvixe server that is undergoing a DoS attack. There are apparently several other sites on this server, all of which are down. They say they're adding filtering, but they've been at it now for 24 hours. This suggests to me that the server's performance would start to be adversly effected if they have to add hundreds/thousands of source IPs to the filter. To mitigate the affect, couldn't the network admin: 0) Identify the IP that's actually being attacked (I suspect that it's just one of the sites on the server that is actually being attacked) 1) Remove that IP from their internal DNS server 2) At the firewall, refuse all traffic to the affected IP I'm not a network admin by any stretch, but is the above described approach not viable?
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
Did you get a dedicated IP address? If yes, then I think the admin should be able to isolate the one being DOS'd. I wonder what other sites are on your server????? In any case, I'd call them, and insist on a ticket elevation. One time my server failed, and they had it replaced within two hours. What's their problem? My site seems to be unaffected (crossing everything I have).
Best wishes, Hans
Well, I've tried my usual low-profile approach to problems: 0) Used their live chat to insult the support reatrds 1) Sent an angry email to sales, support, and qa 2) Posted unflattering messages on their forum. They know there's a problem, but 24 hours to fix it is simply too-frakkin-long. I tried your site to see if it was Arvixe et al, or just my site. I can get to arvixe, and I can get to your site, but mine is offline (can't browse the site, can't connect via ftp, and can't log onto my control panel). Up until this morning, I couldn't send/receive email on that account either.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
Well, I've tried my usual low-profile approach to problems: 0) Used their live chat to insult the support reatrds 1) Sent an angry email to sales, support, and qa 2) Posted unflattering messages on their forum. They know there's a problem, but 24 hours to fix it is simply too-frakkin-long. I tried your site to see if it was Arvixe et al, or just my site. I can get to arvixe, and I can get to your site, but mine is offline (can't browse the site, can't connect via ftp, and can't log onto my control panel). Up until this morning, I couldn't send/receive email on that account either.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997John Simmons / outlaw programmer wrote:
Well, I've tried my usual low-profile approach to problems
Where's #3, the .45 ACP?
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre Have a bit more patience with newbies. Of course some of them act dumb -- they're often *students*, for heaven's sake. -- (Terry Pratchett, alt.fan.pratchett)
-
Well, I've tried my usual low-profile approach to problems: 0) Used their live chat to insult the support reatrds 1) Sent an angry email to sales, support, and qa 2) Posted unflattering messages on their forum. They know there's a problem, but 24 hours to fix it is simply too-frakkin-long. I tried your site to see if it was Arvixe et al, or just my site. I can get to arvixe, and I can get to your site, but mine is offline (can't browse the site, can't connect via ftp, and can't log onto my control panel). Up until this morning, I couldn't send/receive email on that account either.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997You should call them. Tell them you want your site on another server today. Don't ask them what the problem is - that's a rabbit hole. If the support guy can't promise that, ask to speak to his supervisor. I think a "firm but civil" approach would work best.
Best wishes, Hans
-
Why, oh why, do you constantly try to use [edit]VALID[/edit]logic in these situations...
I wasn't, now I am, then I won't be anymore.
It's a character flaw that I'm not going to bother trying to remedy. :)
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
As some of you might recall, my web site is on an Arvixe server that is undergoing a DoS attack. There are apparently several other sites on this server, all of which are down. They say they're adding filtering, but they've been at it now for 24 hours. This suggests to me that the server's performance would start to be adversly effected if they have to add hundreds/thousands of source IPs to the filter. To mitigate the affect, couldn't the network admin: 0) Identify the IP that's actually being attacked (I suspect that it's just one of the sites on the server that is actually being attacked) 1) Remove that IP from their internal DNS server 2) At the firewall, refuse all traffic to the affected IP I'm not a network admin by any stretch, but is the above described approach not viable?
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997One IP might refer to a dozen sites... Could be using virtual hosting. If they're actually hosting one site per IP, that might be possible... Granted, I haven't had to defend against a DoS since the old ICMP 139 days (Ah, the amusement of watching some IRC script kiddie's WinNuke wash up against my firewall - I loved basking in their frustration)... Of course, it kinda sends a message to their customers... "If you get attacked, we'll just shut you down"... Not the best marketing slogan.
Proud to have finally moved to the A-Ark. Which one are you in?
Author of the Guardians Saga (Sci-Fi/Fantasy novels) -
One IP might refer to a dozen sites... Could be using virtual hosting. If they're actually hosting one site per IP, that might be possible... Granted, I haven't had to defend against a DoS since the old ICMP 139 days (Ah, the amusement of watching some IRC script kiddie's WinNuke wash up against my firewall - I loved basking in their frustration)... Of course, it kinda sends a message to their customers... "If you get attacked, we'll just shut you down"... Not the best marketing slogan.
Proud to have finally moved to the A-Ark. Which one are you in?
Author of the Guardians Saga (Sci-Fi/Fantasy novels)I'm on a didicated IP, but I suspect they're using virtual servers.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
As some of you might recall, my web site is on an Arvixe server that is undergoing a DoS attack. There are apparently several other sites on this server, all of which are down. They say they're adding filtering, but they've been at it now for 24 hours. This suggests to me that the server's performance would start to be adversly effected if they have to add hundreds/thousands of source IPs to the filter. To mitigate the affect, couldn't the network admin: 0) Identify the IP that's actually being attacked (I suspect that it's just one of the sites on the server that is actually being attacked) 1) Remove that IP from their internal DNS server 2) At the firewall, refuse all traffic to the affected IP I'm not a network admin by any stretch, but is the above described approach not viable?
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997Wow. Just looked at their forum. Sounds like Turnsol is really hosed. One support guy claims that dedicated IP sites don't have any problems, but that's obviously BS. You need to be firm about getting off Turnsol. Call them back every hour for when that will be done.
Best wishes, Hans
-
As some of you might recall, my web site is on an Arvixe server that is undergoing a DoS attack. There are apparently several other sites on this server, all of which are down. They say they're adding filtering, but they've been at it now for 24 hours. This suggests to me that the server's performance would start to be adversly effected if they have to add hundreds/thousands of source IPs to the filter. To mitigate the affect, couldn't the network admin: 0) Identify the IP that's actually being attacked (I suspect that it's just one of the sites on the server that is actually being attacked) 1) Remove that IP from their internal DNS server 2) At the firewall, refuse all traffic to the affected IP I'm not a network admin by any stretch, but is the above described approach not viable?
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997That would work only if the source of the DoS attack is an infected machine. There are other "reflection" attacks, where infected machines send IP packets to normal machines with the sender (spoofed) set as the server under attack. The normal machines respond to the request, and the requests flood the server.
Regards Senthil _____________________________ My Home Page |My Blog | My Articles | My Flickr | WinMacro
-
I'm on a didicated IP, but I suspect they're using virtual servers.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997
