So many DDoS attacks since this past update

Read 7192 times
I don't know about anyone else, but ever since we updated to this last patch (2013-08-29).

We have been getting hit with tons of DDoS attacks.  These did not start until this last patch/update.  Our datacenter is even questioning this issue.  As they have also stated, there has beeen no problems until about 2 weeks ago, which is when we updated all of our servers.

Every single one of our servers have been getting DDoS'd.   Was there a bad file in this last update?  Or are we the only ones having this problem?
CrossFire-Hosting LLC.
Co-Owner
We've had this kind of inquiry before so I'll elaborate a bit here.

To determine if Centova Cast is involved (either as a culprit or a target of the attack) you'd need to evaluate the the DDoS attack and determine what resources are being hammered on.  A good starting point is to check your Centova Cast logs in /usr/local/centovacast/var/log (and subdirectories) and see if they're unusually large -- if Centova Cast is receiving a huge number of requests, the access log will similarly be huge.  If so, review the log and see what resources are being requested -- that should tell you most of what you need to know.

As for Centova Cast's involvement, the only part of Centova Cast that could potentially cause something resembling a DDoS attack would be the widgets -- for example, we've seen cases in which slightly-below-average-intelligence end-users modify the widget JavaScript to hit the server once per second.  They don't stop to consider that this results in one request per second per visitor to their web site.

So when they have a huge show and have 400 visitors loading pages on their site, that's 400+ requests per second, and (unless you have a beefy server and you've tweaked your php-fpm settings in /usr/local/centovacast/etc/cc-appserver.conf to dramatically increase the process limit) that'll effectively result in a DoS on Centova Cast, as nginx will return a gateway timeout waiting for php-fpm.

Note that even in that case, though, the bottleneck will be the software limit (in cc-appserver.conf) or the CPU on your server (if you've increased the process limit), so this won't really eat up much bandwidth.  And your DC doesn't care about your CPU usage -- they care about bandwidth... so if the DC is getting involved, then the problem is almost certainly elsewhere.
Well, what they stated was "IP Spoofing" which the several servers this happened on really only have Plesk and Centova Cast on them.  In which they then null-routed all of those servers.  But I'll take a gander at the centova logs, and see if theres anything in there.

What would be considered as "unusually large"
Last Edit: September 17, 2013, 01:15:57 am by DJFire_CFR
CrossFire-Hosting LLC.
Co-Owner