DDoS attack on forum [Need Help]

[Game.ruler]

Hi Simple Machines,
  I am using SMF from almost 2 years. This is the first time i got in such a problem.
Few days back one of our admin banned a guy for some reason, then he registered with fake id and told that he will take some revenge and all.
I dint took that seriously. Then 2 days later my account was suspended.

Then i contacted my host for this, they told me that : "Your website has been receiving a large DDoS attack affecting other users on the server. We have temporarily suspended the website and currently we are working on a solution to evade the attack so that your website can be restored."

Website was down for 2 days. Then it was up again for 12 hours. Then again it happened. And website is still down.



After this attack i read a lot about DDos on internet and in SMF support topics, i came up with few problems :
1. Is there any way to track down the ip or somthing of that user, coz i am sure he is of my country and i read somewhere on internet that DDoS attack is illegal and cyber crime department can take care of that.
2. Are there any mods or ways in SMF to block the attacks or less the effect of them?
3. Also i checked my "Stats" page for increased number of page views due to DDos attack, but there were normal pageviews.
So this attack doesnt increases the pageviews or generates some errors in error log?

I dont know what to do in this condition. How to deal with that guy. Please help me in this problem.
Thank you.

[kat]

Seriously?

Your host should be dealing with that. It's FAR easier for them to do that than it is, for you.

Trying to block them at anything above server level is gonna be pretty pointless.

[Jeremy M.]

Hi Simple Machines,
  I am using SMF from almost 2 years. This is the first time i got in such a problem.
Few days back one of our admin banned a guy for some reason, then he registered with fake id and told that he will take some revenge and all.
I dint took that seriously. Then 2 days later my account was suspended.

Then i contacted my host for this, they told me that : "Your website has been receiving a large DDoS attack affecting other users on the server. We have temporarily suspended the website and currently we are working on a solution to evade the attack so that your website can be restored."

Website was down for 2 days. Then it was up again for 12 hours. Then again it happened. And website is still down.



After this attack i read a lot about DDos on internet and in SMF support topics, i came up with few problems :
1. Is there any way to track down the ip or somthing of that user, coz i am sure he is of my country and i read somewhere on internet that DDoS attack is illegal and cyber crime department can take care of that.
2. Are there any mods or ways in SMF to block the attacks or less the effect of them?
3. Also i checked my "Stats" page for increased number of page views due to DDos attack, but there were normal pageviews.
So this attack doesnt increases the pageviews or generates some errors in error log?

I dont know what to do in this condition. How to deal with that guy. Please help me in this problem.
Thank you.

DDos attacks are illegal, but honestly, you would have a better chance of finding a needle in a haystack than having this person arrested. Why? Because more than likely, the person doing this attacking has masked his IP Address and MAC Address, therefore, it will be almost physically impossible to track him down.

[Storman™]

Is there any way to track down the ip or somthing of that user, coz i am sure he is of my country and i read somewhere on internet that DDoS attack is illegal and cyber crime department can take care of that.

First of all prove it, how to you know it's "that guy" ?

Like K@ says it's certainly not something you can deal with at domain level (you can forget about looking for a mod).

Even at server level there's only so much you can do, effectively it needs to be dealt with at the data centre so that they reroute the traffic. Whether your host can do that depends on their hosting setup.

Even then there's no true way to stop it, even partially effective measures can cost several thousand dollars per day.

If you are on shared hosting then most hosts will simply suspend your account as it's not viable financially to pursue it for you. Eventually it will probably stop but obviously thats no consolation in the short term.

[Game.ruler]

DDos attacks are illegal, but honestly, you would have a better chance of finding a needle in a haystack than having this person arrested. Why? Because more than likely, the person doing this attacking has masked his IP Address and MAC Address, therefore, it will be almost physically impossible to track him down.

Thanks StormChaser for reply, i just wanted that person to realize what he is doing.

Seriously?

Your host should be dealing with that. It's FAR easier for them to do that than it is, for you.

Trying to block them at anything above server level is gonna be pretty pointless.

Hi K@, yes, they should be able to do it. But i dont know what is it that taking this long for them.
Also k@, is it host's responsibility for providing this security or not?  I just feel helpless in this condition.

[Game.ruler]

First of all prove it, how to you know it's "that guy" ?

Like K@ says it's certainly not something you can deal with at domain level (you can forget about looking for a mod).

Even at server level there's only so much you can do, effectively it needs to be dealt with at the data centre so that they reroute the traffic. Whether your host can do that depends on their hosting setup.

Even then there's no true way to stop it, even partially effective measures can cost several thousand dollars per day.

If you are on shared hosting then most hosts will simply suspend your account as it's not viable financially to pursue it for you. Eventually it will probably stop but obviously thats no consolation in the short term.

Hi Storman, that guy has changes his FB status saying he is responsible for this , also when wabsite was up , he again changed his status saying he will do it again and it happened just few hours after that.
-But storman, these should be some way, or hosts which provide security against such attacks with not much of extra payment which i am currently paying. If its possible then i will change my host.

[kat]

These things are far too easy to do, sadly.

If I was in your position, I think I might try to be a bit devious. How would it be, do you think, if you told your members that you're going to close the forum, for a week, or so, to outside viewers? (After telling them what you're up to)

You could put a front page message up, saying something like "This forum has been closed, due to the pathetic actions of [Idiot's name]".

Leave it, like that, for a while, so that he thinks he's won. Let him gloat, like the child that he is. Then, after a time, reopen it.

I suspect that he'll keep trying. But, if you only give the forum the appearance of being closed, by making it "Current members only", for a while, thereby making it appear to be closed, might he lose interest?

[Game.ruler]

Hi K@, i think i can do this. But i know he wont lose interest easily. But i will try this for sure. Thanks for this suggestion.

[kat]

Been doing a bit of research...

How would it be, if you had something like this, in your .htaccess file?

Code Select Expand

RewriteEngine On
RewriteCond %{THE_REQUEST} ^ptrxcz.*$
RewriteRule (.*) - [F]

# BEGIN ddosprotect

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END ddosprotect

For small attacks, it seems that this kinda works:

Add this into the .htaccess of the main page of your website.

Code Select Expand


AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please enter XYZ as the user to enter"
require valid-user


and create an .htpasswd file, somewhere (The path you put as "/pathto/.htpasswd, above), with just "XYZ" in it. This'll create a small login telling people to put "XYZ" into the user bar and nothing into the password and validating. Apparently, it'll stop any GET flood (common ddos type by server) as they'll be stuck, because they can't validate and will just be stuck there.

Then, hopefully, you wait for the attacker to grow up and you can remove it.

[Game.ruler]

Thanks a lot K@, i will add this as soon as website will be up.
And i have only 1 website at host.
So should i add both to the main .htaccess file?

[kat]

Try one, then the other.

[Game.ruler]

Try one, then the other.

Sure i will try both of them.
Thanks a lot for this help. Thanks.

[winniethepooh]

First of all prove it, how to you know it's "that guy" ?

Like K@ says it's certainly not something you can deal with at domain level (you can forget about looking for a mod).

Even at server level there's only so much you can do, effectively it needs to be dealt with at the data centre so that they reroute the traffic. Whether your host can do that depends on their hosting setup.

Even then there's no true way to stop it, even partially effective measures can cost several thousand dollars per day.

If you are on shared hosting then most hosts will simply suspend your account as it's not viable financially to pursue it for you. Eventually it will probably stop but obviously thats no consolation in the short term.

Hi Storman, that guy has changes his FB status saying he is responsible for this , also when wabsite was up , he again changed his status saying he will do it again and it happened just few hours after that.
-But storman, these should be some way, or hosts which provide security against such attacks with not much of extra payment which i am currently paying. If its possible then i will change my host.

call the cops and report his ass.

[kat]

Pleasure, GR!

[MrPhil]

If he's boasting about it on FB, maybe you can persuade FB to ban him. I would presume there's some mechanism for filing a complaint against another member for using FB to promote illegal activity.

[winniethepooh]

Been doing a bit of research...

How would it be, if you had something like this, in your .htaccess file?

Code Select Expand

RewriteEngine On
RewriteCond %{THE_REQUEST} ^ptrxcz.*$
RewriteRule (.*) - [F]

# BEGIN ddosprotect

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END ddosprotect

For small attacks, it seems that this kinda works:

Add this into the .htaccess of the main page of your website.

Code Select Expand


AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please enter XYZ as the user to enter"
require valid-user


and create an .htpasswd file, somewhere (The path you put as "/pathto/.htpasswd, above), with just "XYZ" in it. This'll create a small login telling people to put "XYZ" into the user bar and nothing into the password and validating. Apparently, it'll stop any GET flood (common ddos type by server) as they'll be stuck, because they can't validate and will just be stuck there.

Then, hopefully, you wait for the attacker to grow up and you can remove it.

IMO, this post should be split to a new topic in the tips and tricks section. such a useful resource for any webmaster. thanks for this K@

[tumbleweed]

Get a account with Cloudflare it will help as well.
https://support.cloudflare.com/entries/22055637-Can-CloudFlare-protect-me-against-DDoS-attacks-

[winniethepooh]

Get a account with Cloudflare it will help as well.
https://support.cloudflare.com/entries/22055637-Can-CloudFlare-protect-me-against-DDoS-attacks-

can i pm you a question about cloudflare? i have a host that doesnt allow point at A records, and can't figure out how to get cloudflare to point at my site without it

[tumbleweed]

Hi,

You can setup via namesrevers at your domain name register. Cloudfalre works via DNS
https://support.cloudflare.com/forums/21476162-How-to-change-DNS-at-your-registrar-to-CloudFlare-s-nameservers

[LiroyvH]

CloudFlare will give effectively 0% protection without additional steps and even with additional steps it can easily be bypassed; don't expect too much protection of it unless the attacker is a complete moron.