Mitigating DDOS Attack

[Matt Sonnentag]

One of my servers is currently under a DDOS attack. Basically we have 1000's of syn_recv packets queued for apache on port 80. We are looking for ways to mitigate this attack, so if anyone has some experience or some suggestions that would be great. The attack has been ongoing for approximately 24 hours.

Here is what we know:
Most of the attacking IPs are spoofed.
The "bot", I believe is illusion.
We know the user-agent signatures, they appear over an over from varying IPs
We have tried to block with BrowserMatch - no joy for some reason not catching it
We have tried mod_security - again no joy
mod_evasive sucks
Some joy with flood mon and blocking the various IPs with iptables
(so far we are up to about 4000 Class C's blocked)
With floodmon blocking we run about 1000-1800 queued syn-recv's from about 500 different Ips
We host at the planet and they moved us behind Cisco guard, does not seem to have even affected it.
Yes, tcp_syn cookies is on. This is not doing much good.

Any help would be appreciated!!!!!!

 

[Matt Sonnentag]

Working with the folks at the planet we installed apf and ddos-denial, still no luck

 

[clinton4]

Did you ever find a solution? Sure would like to hear about it

 

[Matt Sonnentag]

We had a few extra IP's laying around, so the ultimate goal was to figure out what site was being ddosed.

Step 1) move each to a new "staging IP", see if the attack moves
Step 2) move each site to a final "New IP"
Once we figured out the site(s), we took them offline for a week and just blocked access to the IP from the Internet.

Eventually you discover the domain being DDOSed.

You have to change ip's for your shared sites because that old IP will continue to be ddosed.

 

[Matt Sonnentag]

So basically,

Hide