Search code examples
linuxcentos7whmddos

DDOS attack mitigation on Centos 7 WHM hosted on Hetzner


My server is under DDOS attack since a week now, every day, two to three times a day, for as long as 2 to 5 hours.

During the attack is very hard, close to impossible to access the WHM admin. I have tried most of the common mitigation solutions I could find. I installed CSF, made all the necessary settings for SYN FLOOD, and UDP attacks.

Currently I am working on using fail2ban with iptables as instructed here, but the fail2ban log does not show any taken action during the attack.

The only way I can access the server is by the Hetzner provided console, where I can also see a graphic that depicts the attack. I have tried to contact them, as they are advertising DDOS protection, but they told me that the attack is to small to be detected by their protection methods and that I have to mitigate this myself - they were the ones that suggested the ip2ban solution. Given the below provided log and graphic, is there anybody that could tell me what am I doing wrong or give me suggestion on how to try overcome this situation?

Here is 1 minute of access log during an attack enter image description here


Solution

  • I had similar issues with my dedicated server with a different hoster. They were using Voxility-IPs. Voxility is a DDoS protection provider which helps to mitigate DDoS attacks. We've been attacked multiple times when we were using the old hoster.

    But unfortunately the attack came from an attacker with more than 4 million Telekom proxies, and he reached about 500,000 connections per second on our server and flooded our server, so it was not useable anymore. I've contacted my hoster at this time, and they said, the attack is not a usual one, that's why I had to use tcpdump to record the network traffic during the attack. Then they could send this to Voxility to analyze the traffic and optimize their AI. Its task is to analyze the traffic before it decides if it's suspicious and needs to be mitigated or not.

    I would recommend doing the same. You could record the traffic of the attack using tcpdump and download the .pcap file and open it with Wireshark. Then you could see the source IP-Addresses and set a firewall rule set (UFW is a local firewall on the server) using UFW to deny requests coming from the attackers IP-Addresses.

    If you need any help, feel free to reach out to me!