Jimi

Hi, I've been suffering from DDoS quite frequently (I'm used to it, it always happens), but we recently switched to a new host (1&1) which has a ridiculously low numiptent (with all my iptables rules, I can only ban like ~10 individual IPs until it maxes out). I have sent them constant e-mails, but they just don't seem to care. They have us locked in for a 1-year deal, so I now I need to find a way to ban IPs and avoid using up the numiptent!

__________________

Manyak

Sounds like you'll have to configure things around the kind of attack you're getting instead of just IP addresses.

Exactly what kind of DDoS attack is it anyway? An ICMP flood?

__________________
For Sale: [Conus] CM Storm Scout, TEC, WC, Laptop, A900, Model M, GPU, Audio, and a ton more!!

Jimi

They vary and that is the problem, but usually it's simply some script kiddy using Low Orbit Ion Cannon. It's nothing that turning Apache off won't solve <usually>.

__________________

Manyak

Have you tried using Snort?

__________________
For Sale: [Conus] CM Storm Scout, TEC, WC, Laptop, A900, Model M, GPU, Audio, and a ton more!!

Jimi

No, I've never heard of it, thanks. I'll read up and see if it'll be of use.

__________________

Coma

Is it a VPS or something?

__________________
When asking for help: state the goal, not the step.

Jimi

Yeah its a VPS.

And basically from what I've read, snort can identify the problem, and well, I need a means of preventing the traffic. It's pretty obvious when they have tons of connections, I just need a secondary way of banning the IPs that doesn't use up my numiptent.

__________________