Dear community,
my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql.
I identified the IPs who attack me and block it through iptable firewall from debian.
Something like:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
This works perfect, but the attacker just completely change the IP addresses.
What I'm thining to do is create a rules with iptables who accept a total ammount of requests from the same IP and the DROP if the ammount is exceeded. Something like:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
The problem here is maybe I miss something because if I refresh the webpage 6/7 times it just drop me the other requests. Maybe I don't understand how "--seconds 60 --hitcount 10" works.
Could you please help me to create a rules to try to block new requests if they come togheter at the same time like an attack?
It's hard to use iptables effectively to mitigate an DDOS attack with changing IP addresses.
Most attackers easily change IP addresses; but they forget to change the User Agent string, so it's often easier to block the hackers User Agent string. Did you do any analysis on the UA strings?
Also, if you are using Apache2, there may be an anti-DDOS module, as I recall.
Is the server overloaded, so you need to stop the DDOS before it gets to the server? You could potentially throttle concurrent connections upstream at your firewall, assuming you have one upstream of your server.
If you have something less public (for your use only) - you could try security by obscurity, and move the port you've exposed your apache server on (move it from TCP port 80/443 to 90/7443 or something). If it isn't a managed DDOS, the bots won't generally find you again. To use it, the url becomes site:90/path It's an emergency workaround, but probably not a good long-term fix.