Blackmail 2: escape from attack
In the previous article I focused on the fact that an attack began on our sites. Just want to thank everyone for their help and advice.
I only had to deal with the technical side of the case, other people took upon themselves all the legal and criminal aspects.
In short, I’ll tell you that we have 2 projects attacked in the same way.
Both projects on different hosting, both on virtual.
')
When the attack started the first project, we decided to immediately transfer from the virtual hosting to a dedicated server in order to take control. The hoster said that he could not help us.
The second project, it was decided to give another skillful hoster under protection. A hoster call was made to find out who will undertake and for how much. Nik.ru offered us his 301 tariff, and said that it includes services for protection from Ddos.
As soon as the 2nd project moved to Nick and pulled the traffic behind him, the hoster lightly crashed and wanted to otmazatsya :).
"Good day.
nginx refers to third-party software that the user installs on the server
on their own. Detailed instructions for installing nginx on our hosting are available.
here:
forum.nic.ru/showthread.php?t=197 »
I had to remind you of what was said on the phone, the hoster got down to business and the site began to open up at least for the third time.
Meanwhile, the 1st site has moved to the UPU Rusonix. But we are not allowed to deliver our software:
Work is currently underway on updating the physical server repository.
You will be able to install packages tomorrow after finishing work on a physical server.
All the best.
The day ended disappointingly. I write my habratopic, people begin to give advice. Almost immediately, a man named darka appears at my ICQ at that moment for some reason he did not have a place in the Habré;)
He offers free assistance and protection for one of our projects, wants to become a firewall between us and the DDoS attack.
I note that he was not the only one who responded and offered to help us for free or for money.
The next day it was decided to give the 1st project hanging on rusonikse custody of darka.
The project hanging on Nick, meanwhile, has ceased to open. At the request in Nick, the answer was:
At the moment, the attack on your site continues (about 3560 simultaneous
compounds).
The anti-attack complex blocked several thousand IP addresses from which
being attacked.
However, at the moment the load on the server generated by your scripts is all
still does not allow it to function correctly.
We recommend that you replace the pages that are displayed in case of errors (401, 403, 404, 500),
as well as the index file of your site (main page) on HTML (without dynamics and
call CGI scripts).
It is clear that the hoster began to merge. Later, he completely blocks our site in order not to create a load. It becomes clear here we are flying.
Meanwhile, darka is struggling with an attack on the second front, we are helping him by making the necessary settings on the Rusonix server (by the time it finally became possible).
A letter comes from the hotseter, with an answer to one of our questions, here’s a part of it: Nevertheless, even if you configure nginx normally, this will not solve the problem with such a powerful attack. It is very serious, even recorded by the security service of the RTComm data center. From about 12.05 to 15.25 this service even included a special service Arbor for cleaning unwanted traffic and this should have had an effect. Today we have already, on the root of the physical server, traffic filtering has been enabled, which blocks access from very intensive IP, but even this did not give the effect ...
At the moment we see that the site is processed by a third-party server:
We are writing a letter in a ronix asking not to block his ip as a ddosera.
Friday ends, the weekend begins, we understand that both sites are still down.
But, closer to the night, the 1st site starts to work through time, in the morning everything is also, for dinner it is available completely. This darka did not set aside his attempts to help us and achieved his goal!
He outlined his method of struggle in habratopik .
PS We gave him a second project under the protection, no longer for free. In addition, this person is looking for investment to open his company for protection against ddos attacks + cdn.
PPS is currently under attack
I only had to deal with the technical side of the case, other people took upon themselves all the legal and criminal aspects.
In short, I’ll tell you that we have 2 projects attacked in the same way.
Both projects on different hosting, both on virtual.
')
When the attack started the first project, we decided to immediately transfer from the virtual hosting to a dedicated server in order to take control. The hoster said that he could not help us.
The second project, it was decided to give another skillful hoster under protection. A hoster call was made to find out who will undertake and for how much. Nik.ru offered us his 301 tariff, and said that it includes services for protection from Ddos.
As soon as the 2nd project moved to Nick and pulled the traffic behind him, the hoster lightly crashed and wanted to otmazatsya :).
"Good day.
nginx refers to third-party software that the user installs on the server
on their own. Detailed instructions for installing nginx on our hosting are available.
here:
forum.nic.ru/showthread.php?t=197 »
I had to remind you of what was said on the phone, the hoster got down to business and the site began to open up at least for the third time.
Meanwhile, the 1st site has moved to the UPU Rusonix. But we are not allowed to deliver our software:
Work is currently underway on updating the physical server repository.
You will be able to install packages tomorrow after finishing work on a physical server.
All the best.
The day ended disappointingly. I write my habratopic, people begin to give advice. Almost immediately, a man named darka appears at my ICQ at that moment for some reason he did not have a place in the Habré;)
He offers free assistance and protection for one of our projects, wants to become a firewall between us and the DDoS attack.
I note that he was not the only one who responded and offered to help us for free or for money.
The next day it was decided to give the 1st project hanging on rusonikse custody of darka.
The project hanging on Nick, meanwhile, has ceased to open. At the request in Nick, the answer was:
At the moment, the attack on your site continues (about 3560 simultaneous
compounds).
The anti-attack complex blocked several thousand IP addresses from which
being attacked.
However, at the moment the load on the server generated by your scripts is all
still does not allow it to function correctly.
We recommend that you replace the pages that are displayed in case of errors (401, 403, 404, 500),
as well as the index file of your site (main page) on HTML (without dynamics and
call CGI scripts).
It is clear that the hoster began to merge. Later, he completely blocks our site in order not to create a load. It becomes clear here we are flying.
Meanwhile, darka is struggling with an attack on the second front, we are helping him by making the necessary settings on the Rusonix server (by the time it finally became possible).
A letter comes from the hotseter, with an answer to one of our questions, here’s a part of it: Nevertheless, even if you configure nginx normally, this will not solve the problem with such a powerful attack. It is very serious, even recorded by the security service of the RTComm data center. From about 12.05 to 15.25 this service even included a special service Arbor for cleaning unwanted traffic and this should have had an effect. Today we have already, on the root of the physical server, traffic filtering has been enabled, which blocks access from very intensive IP, but even this did not give the effect ...
At the moment we see that the site is processed by a third-party server:
We are writing a letter in a ronix asking not to block his ip as a ddosera.
Friday ends, the weekend begins, we understand that both sites are still down.
But, closer to the night, the 1st site starts to work through time, in the morning everything is also, for dinner it is available completely. This darka did not set aside his attempts to help us and achieved his goal!
He outlined his method of struggle in habratopik .
PS We gave him a second project under the protection, no longer for free. In addition, this person is looking for investment to open his company for protection against ddos attacks + cdn.
PPS is currently under attack
Source: https://habr.com/ru/post/68401/
All Articles