A friend of mine owns a site which has very little traffic and sells a niche product. Because he gets so little traffic, alarm bells immediately sound when suddenly there is a spike.
If there would be a spike, he would be rich probably, but the chances of that happening are very slim.
Anyway, this night, the guy called me up at 3:30 saying he received an email from some hotmail address saying something like ;
I understand how much revinue you bring in each month, I can bring that down to 0 if I wish. Think I’m kidding? Think this is a joke?
And then his demands.
So, me thinking this was indeed a joke, asking why he )(@#%()#@% woke me. But it wasn’t a joke. The site was down. Very much so for 1.5 hour already. Costing my friend money.
A bit groggy from sleeping I could not imagine this being anything else than some lame DOS attack; one or a few computers bonking away on :80.
Unfortunately that was not the case at all.
This was a quite (for this kind of lame threat / blackmail) heavy DDOS. After a few minutes I already collected (and blocked) over 200 unique ips (from different classes mostly).
In this blog I have shown more than ones some ideas for catching and blocking DDOS attacks from within Linux and this one was rather a simple one and could be simply blocked using;
Few notes here; Apache (or whatever you might use) queues all those income connections and leaves them connected even though they are blocked. Because of this,
during the attack, I run from the cron; */10 * * * * service httpd restart. Making Apache immediately kill of those bad connections, but finish off the real ones with a real response. At least you’ll have service for most people using this method.
Ofcourse it required a bunch of tweaking as the attacker changed his strategy quite often to make it more difficult.
I don’t get people who do this and I certainly don’t understand how they can mount such a huge attack with so many different IPs.
Edit: attack has been going on for 9 hours now… site doing fine.