One of our sister website hosted on cloud server was recently hit by a 9Mbps DDoS, and the apache web server ran out of memory and crashed. The attack lasted more than 2-months with no known reason. We've taken a number of mitigation steps including installation of mod_security with mod_evasive, APF, BFD, DDoS Deflate and Rootkit and Traffic Control, but none came to rescue. Use of Linux provided WAF will mitigate the DDoS to the extent where CPU, Memory and Bandwidth are allowed; and in our case a single CentOS server with 4GB RAM wasn't sufficient to mitigate DDoS.
Since our initial mitigation effort failed, we cloned the server and added 4 additional VPS servers with a node balancer from Linode. Having 5-node balancer wasn't' sufficient to handle 9 MBps bot traffic. The trouble was that Apache would run "Out of Memory" due to fake bot traffic, and no user traffic were served. I thought it was the Apache Killer, which caused my Apache to crash but that wan't the case as my version of Apache was patched and yet I was experiencing the same problem.
To alleviate "Out of Memory" problem, I've also tried Nginx setup but nginx wasn't able to handle the traffic either. With a load balancer with 5 nodes of Nginx servers, the webapp was throwing 503 Service Unavailable although I wasn't seeing the "Out of Memory" error.
We, then tried DDoS mitigation service provided by Incapsula, which took only 5-minutes to setup. To mitigate DDoS, We had to signup with a 7-day Trial of Business Plan. Incapsula's DDoS mitigation service worked great, but it would cost us $299 per month. For websites generating over $300 in revenue, paid service is a great way to protect your site from DDoS but for smaller websites it may not be cost-effective. Here is the DDoS stats collected from Incapsula.
Share this post
Popular Articles
Email Delivery Problems Explained
November 12, 2006
With ever growing number of spam emails flooding the Internet, more and more ISPs tighten their email filtering system to prevent spams delivered to their clients. It is virtually impossible to block even 50% of the spams arriving in a mail server, and there will always be false positives (legitimate emails filte [...]
Learn moreWhat is an IP Address?
February 16, 2007
The Internet Protocol Address (or IP Address) is a unique address that computing devices such as personal computers, tablets, and smartphones use to identify themselves and communicate with other devices in the IP network. Any device connected to the IP network must have a unique IP address within the network.
Learn moreWhat is a Subnet Mask?
February 22, 2007
address and the host address. A subnet mask separates the IP address into the network and host addresses (<network><host>). Subnetting further divides the host part of an IP address into a subnet and host address (<network><subnet><host>) if additional subnetwork is needed. Use the Learn more
What is a MAC Address?
March 18, 2007
MAC, Media Access Control, address is a globally unique identifier assigned to network devices, and therefore it is often referred to as hardware or physical address. MAC addresses are 6-byte (48-bits) in length, and are written in MM:MM:MM:SS:SS:SS format. [...]
Learn moreWhat is a TCP/IP?
April 8, 2007
TCP/IP, Transmission Control Protocol/Internet Protocol, is the suite of two protocols, TCP and IP, used to interconnect network devices on the Internet. The TCP performs the handshake between the network devices to establis [...]
Learn moreLeave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.
Comments (0)
No comment