Support

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.7.3
PHP version: 5.3.2
MySQL version: 5.1.4
Host: (optional, but it helps us help you)
Admin Tools version: 2.1.14


Description of my issue:

Over the weekend, one of my clients was hit with a massive DDoS complete with ransom note! The hosting company had no clue what to do and eventually I found a 3rd party companies that would route and filter all calls through their servers (for a very hefty ransom, err fee!). The client ended up having to do that just to get their business back on line.

I wasn't that involved with the fix, but I think the 3rd party security company monitored the IP's that the DDoS was coming from and set up a server to filter those calls and just pass along everything else to our application.

After the excitement died down, I check the AT logs to see if anything was noted. There was no indication that anything was amiss. Matter of fact, the logs looked less populated than usual, which may be because the server was so overloaded that the application was never even touched.

That last comment may have just answered my own question! If the application isn't actually called because the server is swamped, there probably isn't much AT can do.

Right now, the system logs have all of our traffic coming from a small set of IP addresess, and we are blocking everything else. I wonder what problems that may cause down the road.

sounds like a bit of a joke. Is you client on a shared host?

The fact is a well orchestrated ddos attack with enough zombie machines is impossible to stop, but go find enough machines, very difficult to arrange. And there are many types, most commonly brute force.

You should at the very minimum be limiting the amount of connections per ip at an apaches level using csf or something similar. Also the apache conf files should be configured according to the spec (in my view upto 85% of the cap). what allot of ppl dont realise is that they configuer a box, which can handle much more, choke it by lowering its output, thinking they'll never see load spikes. Where in actual fact its opposite. Request ques will apply more load, than less and if your server is specked to handle it, dont choke it, let them through. My 2 cents.

Its not a joke and I agree and concur also! The site is on a dedicated host, but the hosting company is 'not the swiftest'.

The client runs a very profitable online site, and they couldn't wait till the hosting company figured out what to do so they had to go with the 3rd party company. I've told them about more sophisticated hosting companies (esp those that specialize in Joomla! sites) so they are seriously thinking about making a switch in the near future.

I meant to add that we will be asking potential hosting companies about their epereince and defenses against these types of attacks. It will be interesting to hear their answers.

Any suggestions (aside from Rochen of course) is appreciated.