wsg horde vs alliance

[Exsurgo]

We're under a massive-scale DDOS attack by the same person that took down AT. This is going to be fun. He must be really bored...

Oh great, fearless leader of ours....

Any updates?

Host company has freezed the server for a while but that does nothing. It's essentially like pressing pause/play on the ddos attack. We're not big enough to afford DDOS mitigation, practically no one is. So the only option is to wait for this to blow over, or hope the company is able to do something about it, which I doubt they will. DDOSing is very serious and I think a lot of people don't understand that. It's not easy to resolve or fix at all, not unless you're able to afford tremendous amounts of protection which not many are.

Like everyone else, I'm not complying nor corresponding with this person. I would rather see Smolderforge shut down than give money to someone holding the server down for ransom.

It was inevitable that this was going to happen really. All the private servers will be hit at some point. How bloody lame.

[Cube]

That Trent cunt has attacked quite a few servers now.

[SheLexa]

http://www.cloudflare.com/plans is your solution, and it has a basic free plan.

btw, those are probably using standard HOIC or LOIC tools for DDOS, any good configured firewall can block those.

PS
This started at MoP relase, so i wouldnt be surprised if Blizzard is behind it, as not many people have the DDOS power for such a large attack.

Also, Henhouse, you should be able to see the ip-s of the DDOS-ers, try to do a researech on them.

[Peekaboo]

Let's just assume the attacks stop exactly after 24 hours... the way he types makes me wonder if he has food for the next month.

[Firstaidkit]

I don't have much knowledge of this but I think that it would be hard to trace the IP's since DDoS attacks are being preformed by multiply computers and I don't think the hacker or hackers will be dumb enough to put them all at the same network so they all have the same IP. That would be dumb.

AT was down for 2 or 3 weeks so prepare and they even bought DDoS Protection which didn't worked out too well. Also they have a full dev team that was working on it.. Maybe you can contact them Henhouse and ask them how they solved it?

[Cube]

AT was down for 2 or 3 weeks so prepare and they even bought DDoS Protection which didn't worked out too well. Also they have a full dev team that was working on it.. Maybe you can contact them Henhouse and ask them how they solved it?

As soon as AT bought ddos protection and got it sorted, it was just down for a few hours every now and then for a week. It's stable now, wouldn't call that "didn't work out too well."

[Deems]

http://www.cloudflare.com/plans is your solution, and it has a basic free plan.

btw, those are probably using standard HOIC or LOIC tools for DDOS, any good configured firewall can block those.

PS
This started at MoP relase, so i wouldnt be surprised if Blizzard is behind it, as not many people have the DDOS power for such a large attack.

Also, Henhouse, you should be able to see the ip-s of the DDOS-ers, try to do a researech on them.

worst post ever

[SheLexa]

I don't have much knowledge of this

So quiet.

worst post ever

Love when people who have no idea about the topic try to teach me the job im doing for years (IBM networking engineer).

And how much you Deems know about the topic? On how many DDOS attacks have you worked in your life? On how many systems like the Proventia Network IPS Protection Engine have you worked on? How many datacenters are the fruit of your work?

[Peekaboo]

I bet he's 16, loves playing CS, and comes from Sibiu, in Romania. Oh, and he'll die as a virgin.

[SheLexa]

Temp Soulutin 1: Block the ISP of the attacker.

If you have high load (say 5 or more ) and you have large number of HTTP process then i would request you to do the following

At command prompt execute the below command

bash#netstat -lpn|grep :80 |awk '{print $5}'|sort

Check each block of ips. Lets assume you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify such ips/networks from the list you get

If more than 5 host/ip connects from the same network then its a clear sign of DDOS .

Block that ips/networks using iptables /Apf

iptables -A INPUT -s -j DROP

If you have APF, then just add the IPs which you want to block in the file /etc/apf/deny_hosts.rules

Continue this process untill the attack on the machine gets reduced. There is no complete or perfect solution to DDOS . The logic is simple, NO software or measures could handle attacks from multiple servers say from 50 - 100 servers all at a time. All that can be done is to take preventive measures .

Prevention: a few small steps that might help in the future.

Install Mod_dosevasive to your apache.

Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below

Eg: Install Mod_dosevasive

# wget http://www.nuclearelephant.com/projects ... 0.1.tar.gz
# tar -zxvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive_1.10.1
# $APACHE_ROOT/bin/apxs -iac mod_evasive.c

“$APACHE_ROOT” is a variable that stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)

# vi /usr/loca/apache/conf/httpd.conf

After this add the below code in httpd.conf

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

Then restart Apache

# /usr/local/apache/bin/apachectl restart

Install Mod_security

Since DDOS normally targets HTTP. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below

<br
bash# http://www.modsecurity.org/download/mod ... 9.2.tar.gz
bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz
bash# cd modsecurity-apache-1.9.2
bash# /usr/local/apache/bin/apxs -cia mod_security.c

Create a file named mod_security.conf under the folder /usr/local/apache/conf

bash# vi /usr/local/apache/conf/mod_security.conf

Create the rule with reference to the link http://www.modsecurity.org/documentatio ... mples.html and add it in the mod_security.conf file.

Add the location of mod_security.conf to httpd.conf

bash# vi /usr/local/apache/conf/httpd.conf

by adding the string below

Include /usr/local/apache/conf/mod_security.conf

Restart apache

# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl start