DDOS attack on board

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
NewToPHPBoards
Registered User
Posts: 248
Joined: Wed Feb 03, 2016 1:38 pm

Re: DDOS attack on board

Post by NewToPHPBoards »

Hi Robert,

The ISP's setup to stop a DDoS is to disable the site (I guess because it effects other sites on the same server rack).

I agree this is not very useful.

I just wish they could provide me with more evidence. I don't understand why the Google Stats I record across the site would not have mirrored the surge the ISP apparently witnessed.
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28853
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier

Re: DDOS attack on board

Post by Paul »

Lumpy Burgertushie wrote: Fri Jun 22, 2018 3:20 pm very strange but it still boils down to a problem with the security setup on the server which is your host's concern. If they are not setup to stop a ddos then I would seriously look for a different host.


robert
Iam pretty sure 99% of the shared hosting is not able to cope with a major ddos. Even large companies like banks are not able to, and they spent huge amounts of money on it.
NewToPHPBoards wrote: Fri Jun 22, 2018 3:38 pm Hi Robert,

The ISP's setup to stop a DDoS is to disable the site (I guess because it effects other sites on the same server rack).

I agree this is not very useful.

I just wish they could provide me with more evidence. I don't understand why the Google Stats I record across the site would not have mirrored the surge the ISP apparently witnessed.
because you probably don't have Google analytics on your error page
NewToPHPBoards
Registered User
Posts: 248
Joined: Wed Feb 03, 2016 1:38 pm

Re: DDOS attack on board

Post by NewToPHPBoards »

Paul wrote: Fri Jun 22, 2018 3:48 pm because you probably don't have Google analytics on your error page
True - the error page is nothing to do with PHPBB - it was served via the server from MYSQL.

However - it's not a surge to the error page that caused the error in the first place. That only appeared because of a cause. I should see the initial attack on Google Stats right?
User avatar
JLA
Registered User
Posts: 618
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS

Re: DDOS attack on board

Post by JLA »

NewToPHPBoards wrote: Fri Jun 22, 2018 3:38 pm Hi Robert,

The ISP's setup to stop a DDoS is to disable the site (I guess because it effects other sites on the same server rack).

I agree this is not very useful.

I just wish they could provide me with more evidence. I don't understand why the Google Stats I record across the site would not have mirrored the surge the ISP apparently witnessed.
What makes you think you are receiving a DDOS?
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6313
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: DDOS attack on board

Post by thecoalman »

First and foremost find a host that is going to work with you on this. There should be no expectation that a host is going to stand behind you 100% unless you are paying a lot of money because blocking a DDOS can get very expensive. There should be an expectation they will work with you for limited time.
NewToPHPBoards wrote: Thu Jun 21, 2018 4:45 am 1) Block significant ranges of IP addresses originating from China.
Depending on what type of attack and the scale this is unlikely to be helpful for most of them, you need to stop it before it gets to the server. Trying to block an attack with the firewall is difficult let alone trying to do it with .htaccess rules because the server still needs to process those requests. Note that the Cloudflare firewall can be configure to black countries but this is completely different because those requests never get to the origin server.
2) Introduce Cloudflare, and install the Cloudflare extension for IP.
Cloudflare can stop this but you need to protect the origin IP because if that is exposed they can just go after the IP making Cloudflare useless

Cloudflare does not allow email over their network which means the IP can be exposed simply by someone registering. Emails need to be sent from a different IP, email service on it's own server is ideal but that adds more expense. If you are using WHM/Cpanel it can be set to send email through the main IP which should be different than the IP your domain is on. This of course would not prevent them attacking that IP but it can then be null routed and you would only lose email service. Hosts typically allocate IP's in order so make sure the IP your domain is on is not right next door to the one sending email.

You also need to disable any feature in phpBB that exposes the IP like remote avatar uploads.

The other major thing you want to do since all legitimate traffic should be coming form Cloudlfare IP's is to firewall ports 80 and 443 except for Cloudlfare IP's. If they know your host which can be guessed from the IP of the email they will run a bot across your hosts IP ranges and make a request for unique file(s) on your site which is basically like a fingerprint.

You also need to install mod_cloudflare on the server so the users IP is passed to applications like phpBB, logging etc. If that is not possible there is an extension for phpBB but that only works for phpBB.

Beyond that explore the options in CSF if you are using it, there is specific settings you can enable that will help mitigate an attack. CSF also has configurable option to work with Cloudlfare so any IP's banned can be directly added to Cloudflares's firewall.

I know this is a mouthful especially if you are on shared hosting but these are some of things you need to do if you expect to stop or mitigate future attacks.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6313
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: DDOS attack on board

Post by thecoalman »

Mick wrote: Fri Jun 22, 2018 6:53 am I find it odd that anyone would target a bulletin board with a DDoS attack, it’s a lot of work for no benefit as far as I can see.
The "bot herder" is typically a hired gun, you can literally rent a botnet by the hour if you wanted.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6313
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: DDOS attack on board

Post by thecoalman »

NewToPHPBoards wrote: Fri Jun 22, 2018 2:19 pm
According to the ISP it was only my board - they still haven't provided suitable evidence on this point yet. My Google Analytics don't match what the ISP reported.
You need to look at the access logs on the server. The computers carrying out this attack would not be loading any external Javascript code such as the one provided for Google analytics. In fact this one of the techniques they use where nothing is loaded, they open a connection and let the connection hang as the server is waiting for an expected response before sending the page.

On reasons, this is purely speculative, but I experienced some domain name arguments with a Chinese firm last year.
It could be anyone and unless they come forward you will likely never know for sure.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

Return to “General Discussion”