CL1-WIN32 - large DDOS attack - causing slowness

Stephen

Stephen

US Operations
Staff member
We are seeing large DDOS attack on Win32, we've been fighting off smaller bits through the day but its really picked up in impact right now. We are working to bring it in control ASAP.
 
It is coming on the shared IP making it a bit hard to control by a shutdown of the site.
 
Still hiccups, at the moment with just the most bare logging (not serving up anything but a unavailable error on the domain) its still coming with logs of 10MB per minute, just in showing the IP addresses hitting, pretty heavy.
 
I hate doing this on migrations, but I am focusing entirely on this Win32 DDOS stopping and migrations postponed until tomorrow night.
 
I am going to take down the network while getting the top 30 attackers blocked directly now, because this is taking quite a while to get suitably resolved.
Should be up in 10 minutes if all goes well.
 
The network been back up for a bit, still working on getting new series blocked.
More I seem to block, the more come in.
 
I have temporarily removed just the shared IP from the network, the server itself and any on dedicated IP (ssl sites) are up and going, working in new plan for serving up only the tiniest replies for any request.
 
Shared IP is back up to see if this test is reliving any of the pain of the 1000s of IPs hitting.
 
ok I think I can already tell, this is worse. I was attempting to instead of serving up 503 errors to the site being attacked, serve up blank files for any request, but the amount of requests are overwhelming the server in every way to serve up blank 404 errors as well. Going to undo this change.
 
We've pointed the site being attacked to a non existing IP now, so hoping this will prevent future bots from joining in the attacks. The server is responding but still slow at times, it comes in waves.
 
Going to reboot the server shortly.
need to clear some things up after a lot of work.
 
With the DNS changes and the massive amount of IPs blocked, things are settling down, still some coming in but this is manageable now.
 
While attacks are still coming in, most sites are loading, some asp.net sites are being slow to generate on first hits, due to the added processing of the attacks. I am going to really double down on the process on the upgrade to 2008 for win32 as well. We've done the upgrade twice and each time errors happen with the asp.net sites there as well. This server really is giving some trouble, but moving to 2008 would be a big benefit in getting even attacks like this from impacting as bad with better application routing ability at low level.
 
You must log in or register to reply here.
Back
Top