DoS attacks and server monitoring

hi all -

lately IS has been coming under DoS attacks by evil forces on the internet.

i have used gotSiteMonitor, pingdom and uptimeRobot to monitor my own server which has worked very well.

it might also be a good idea to also monitor my vps server host, currently on "KVM25". this way, if KVM25 is not answering pings, there is nothing i can (or should) do but wait, and not bother the dilligent customer support folks who probably already have their hands full dealing with the attack.

is there a way i can learn the IP number, or what name that might answer a ping under?

my immediate guess is to ping KVM25.interserver.net (which does answer pings) -- hmm somehow i think i might have answered my own question!
 
>ping kvm25.interserver.net

Pinging kvm25.interserver.net [199.231.187.2] with 32 bytes of data:
Reply from 199.231.187.2: bytes=32 time=155ms TTL=49
Reply from 199.231.187.2: bytes=32 time=131ms TTL=49
 
Last edited:

Ryan Maxey

Member
You're correct, kvm25.interserver.net is the host node for your VPS. If the host node is down, yours will be as well (you already know this). Though, in my experience small DoS attacks don't have an effect on the host node really, rather just your server. Unfortunately, if the attacks get to be too much of an issue, you may want to consider looking into DDoS protected hosting for your site, as DDoS protection isn't what Interservers does. About bothering the support team, it's a good idea to make a ticket so that the support team is aware of the outage. Otherwise, they just may not know the host node is down.
 
well, what happens is i get a bunch of emails from my three different monitoring **services telling me all my services are not responding. then i try to log into my interserver server area and discover i cant log in there due to the DoS attack.

so rather than get all stressed out thinking that my own services are down, i would much rather learn its KVM25 having trouble. then i can enjoy a nice glass of red wine rather than panic.

and john q has the patience of a saint, but i just assume not push it too far ! even saints can loose patience occasionally.

** why three monitoring services? because all three are free!
 
Last edited:

Quags

Administrator
Staff member
New servers are in the format of

openvzXX.is.cc
kvmXX.is.cc

older ones are openvzXX.interserver.net and kvmXX.interserver.net
 
ok - just signed up for yet another FREE pingdom.com account with kvm25.is.cc -- you can sign up for multiple free accounts using multiple email addresses !

for the record, i want to monitor kvm25.is.cc (67.215.65.132) along with my own IP number. if my IP number is down much more than kvm25.is.cc, i know i have a problem. ideally, the two should be just about the same.

thoughts? suggestions?
 
Last edited:

Quags

Administrator
Staff member
for the record, i want to monitor kvm25.is.cc (67.215.65.132) along with my own IP number. if my IP number is down much more than kvm25.is.cc, i know i have a problem. ideally, the two should be just about the same.
Exactly right.
 

Jay Gould

New Member
Have you got any way of contacting your host provider? They quite often provide DDoS protection so they might be able to help you out on that part.
Aside from that, ask them for a list of IPs that have accessed your site during the DDoS, eliminate single IPs and look for duplicates, you'll have your hacker IP then.

Also, is it a good idea to post it all publicly on here? Surely that's how someone is attacking your VPS, or am I being stupid here?
 

Ryan Maxey

Member
Have you got any way of contacting your host provider? They quite often provide DDoS protection so they might be able to help you out on that part.
Aside from that, ask them for a list of IPs that have accessed your site during the DDoS, eliminate single IPs and look for duplicates, you'll have your hacker IP then.

Also, is it a good idea to post it all publicly on here? Surely that's how someone is attacking your VPS, or am I being stupid here?
Interserver is host, and this would be the Interserver community forums. Most attacks stem from hundreds, even thousands of IPs. Even if you get the IPs, it's just a waste of time to attempt to do something about it, for the most part short of contacting EVERY host (assuming they even care) and giving them valid proof to do something will get nothing done. If your attacks are from many IPs, then contacting hosts simply won't work. If your services are subject to DDoS attacks (constant) then a more permanent solution should be thought of. DDoS attacks are very common, they're getting larger, and larger, and will continue to get larger.
 

Jay Gould

New Member
Interserver is host, and this would be the Interserver community forums. Most attacks stem from hundreds, even thousands of IPs. Even if you get the IPs, it's just a waste of time to attempt to do something about it, for the most part short of contacting EVERY host (assuming they even care) and giving them valid proof to do something will get nothing done. If your attacks are from many IPs, then contacting hosts simply won't work. If your services are subject to DDoS attacks (constant) then a more permanent solution should be thought of. DDoS attacks are very common, they're getting larger, and larger, and will continue to get larger.
My mistake. Is there any way to locate the source of the DoS attack or is it just a shot in the dark? I know the actual fundamentals of a DoS and DDoS attack but not how to block them entirely.
 

FreeBuddy

New Member
I got Cloudflare running in "Im under attack" mode permanently on my server. But recently been getting a lot of IPs from Russia, China etc try to access SSH via root. I doubt they will ever crack the pw.
 

andrewt

New Member
I also use Cloudflare for my websites, got through a ddos attack a while back with ease, which is not what I can say about bigger websites like blackhatworld (sorry if I am not allowed to post other forums here), which also used cloudflare until the administrator realised it was not enough. If paypal got taken down a few years back, it really means no site is safe if the right attacker comes after you...
 
Top