| Posted by alucard0134, 03-22-2015, 11:37 PM | | So lately whenever someone sends a botnet (Layer 7) attack to our server (CPanel, CentOS. 16 gigs of ram dedicated server.) it would make MySQL shoot up to 500% CPU usage and basically slug the server. And sadly I have no idea how I can combat against this since the attack itself is usually about 600 mbps, so not enough to have mitigation procedures kick in.
Can I have any advice on this? Thank you.
Remote connections are disabled, and since they are attacking the index page which sends a query to MySQL for the topics (The forum software is IP. Board for those curious.)
Some graphs.
prntscr.com/6k7h5h
prntscr.com/6jtatt
and a HTOP prnt-scr showing mysql when under attack
prntscr.com/6jrv5u (Warning: big image)
|
| Posted by Chris_H, 03-23-2015, 12:28 AM | | Which MySQL server version are you running? You might check out something like DDoS Deflate, as it might be able to stop this type of attack if it is a layer 7 attack.
|
| Posted by alucard0134, 03-23-2015, 12:36 AM | | root@server [~]# mysql --version
mysql Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper
CPanel is installed along with DDos Deflate already, but doesn't seem to be effective.
|
| Posted by orangewebsite, 03-23-2015, 09:05 AM | | Is your connection DDoS filtered or is all malicious traffic going through directly to your server?
|
| Posted by alucard0134, 03-23-2015, 09:11 AM | | No, I believe there is a firewall that kicks in if a attack gets big enough. Also standard cloudflare protection, so the backend IP won't be revealed.
|
| Posted by orangewebsite, 03-23-2015, 09:41 AM | | It sounds like that the attack you are experiencing is low bandwidth application level attack. Have you tried contacting your web hosting provider if they have some solution for this? Have you considered upgrading your CloudFlare protection to CloudFlare Business, which comes with Layer 7 protection?
|
| Posted by alucard0134, 03-23-2015, 09:52 AM | | I'll talk to my hosting provider about this. Thank you.
|
| Posted by kerry_1, 03-23-2015, 09:53 AM | | IPB uses mysql to store it's cached data by default.
You might get some mileage out of changing that to use APC, eAccelerator, or maybe even their file based cache. It would reduce some of the mysql activity for each pageload.
See page 4 in their docs:
https://www.invisionpower.com/files/ipb23devdocs.pdf
|
| Posted by alucard0134, 03-23-2015, 11:28 PM | | Tried using eaccelerator, but no avail. Just waiting to contact the host now.
|
| Posted by alucard0134, 03-24-2015, 08:52 PM | | No idea if I can block these requests, this is the botnet attacking.
Honestly I wish I could get that, but adding another $200 to an already hefty monthly bill would be just too much.
|
| Posted by Apolo, 03-26-2015, 11:22 PM | | Thread moved to Hosting Security and Technology from Web Hosting forum.
|
|
 Add to Favourites
 Print this Article
|
