DDOS attack mitigation on Centos 7 WHM hosted on Hetzner
My server is under DDOS attack since a week now, every day, two to three times a day, for as long as 2 to 5 hours.
During the attack is very hard, close to impossible to access the WHM admin. I have tried most of the common mitigation solutions I could find. I installed CSF, made all the necessary settings for SYN FLOOD, and UDP attacks.
Currently I am working on using fail2ban with iptables as instructed here, but the fail2ban log does not show any taken action during the attack.
The only way I can access the server is by the Hetzner provided console, where I can also see a graphic that depicts the attack. I have tried to contact them, as they are advertising DDOS protection, but they told me that the attack is to small to be detected by their protection methods and that I have to mitigate this myself - they were the ones that suggested the ip2ban solution. Given the below provided log and graphic, is there anybody that could tell me what am I doing wrong or give me suggestion on how to try overcome this situation?
I had similar issues with my dedicated server with a different hoster. They were using Voxility-IPs. Voxility is a DDoS protection provider which helps to mitigate DDoS attacks. We've been attacked multiple times when we were using the old hoster.
But unfortunately the attack came from an attacker with more than 4 million Telekom proxies, and he reached about 500,000 connections per second on our server and flooded our server, so it was not useable anymore. I've contacted my hoster at this time, and they said, the attack is not a usual one, that's why I had to use tcpdump to record the network traffic during the attack. Then they could send this to Voxility to analyze the traffic and optimize their AI. Its task is to analyze the traffic before it decides if it's suspicious and needs to be mitigated or not.
I would recommend doing the same. You could record the traffic of the attack using tcpdump and download the .pcap file and open it with Wireshark. Then you could see the source IP-Addresses and set a firewall rule set (UFW is a local firewall on the server) using UFW to deny requests coming from the attackers IP-Addresses.
If you need any help, feel free to reach out to me!
- Invalid ELF header out of the gate running simple nodejs script
- "to_string" isn't a member of "std"?
- How can I ignore some differences in the 'diff' command?
- How to limit the number of results from find?
- Why is clangd not seeing my custom library location
- "/bin/bash^M: bad interpreter: No such file or directory" error when executing a bash script from a cron job
- How can I diff a directory for only files of a specific type?
- Is there any way to compile additional code at runtime in C or C++?
- What is this error in XAMPP starting? How can i fix this?
- Where does signal handler return back to?
- using access to check usb port by path fails because of port0 suffix
- Kubernetes Pods Terminated - Exit Code 137
- Google services json file for github actions?
- Take screenshot in gnome environment via its dbus api
- Change linux kernel installation directory
- How does SIGINT relate to the other termination signals such as SIGTERM, SIGQUIT and SIGKILL?
- How to limit heap size for a c code in linux
- How to unzip a .vw.gz file in linux?
- Running soft linked node script as cmd. can't find installed modules
- How can I execute PHP code from the command line?
- autorun script in bash for minecraft
- Advantage of winelib?
- Setting JAVA_HOME does nothing in Linux
- java.lang.NoClassDefFoundError: Could not initialize class java.awt.Toolkit
- How to change path to the current directory in bash
- Vulkan: dynamic rendering image transition
- 'E: Unable to locate package hydra' In termux
- How to run a shell script at startup
- Check battery level of connected bluetooth device on linux
- XML Block insert into .xml file via xsltproc on Linux