First off, we are under constant ddos attacks, not sure why, not sure who, but they are quite persistent. We've been running APF and even upped to a hardware firewall for $50/month from the host.

I asked around and most seem to think purchasing this script would help, considering the fact we have both a software and hardware FW already, but I just wanted to ask for another opinion.

Our main problem, is that somehow our members (including myself and my staff) can easily rack up a high number of connections (otherwise known as requests, right?) so many legit users get blocked from the script. So after a wave of ddos'ing, then we spend the next few days unblocking legit users, at least ones not on the white list. So my question is does your software handle this differently in any way? Would there be a way to decipher between legit high connection IPs and botnet high connection IPs?

And is there a way to block all traffic to a specific url, in case the botnets are hitting one url specifically?

And I guess a more general question, are there other users with this problem, or would you have an idea as to why its easy for our forum users to rack up such a high number of connections? Too many mods? 1 faulty mod? Ajax? Shoutbox? etc etc? It would make things a lot easier if we could lower that "baseline" connection number, so when we do block any IP with over 100 connections we can be more sure that it is in fact a botnet IP.

thanks for any help! and please link me to other threads if these questions have already been answered.

hello,
for starters in apf have it block all icmp pings . allow only udp pings.
second i don't think its a Dosing its more of some spam harvest bots.
are you running a forum? if so what type.
there are more advance settings in APF that can be used to check spam databases very good to trun on. This software can limit requests to what number you would like. There is so much more we can do lets start with basics first

Thanks for the help!

-Its safe to just block ALL ICMP pings? Where would I turn that setting on?

-Hmm, I'm not sure I know the different, I thought dos/ddos was basically when someone gains control of zombied exploited computers and uses them to hit a server over and over

-Yes, running IPB

-Hmmm, where do I find these settings? I'm not too familar with APF, I mostly let my host handle it.

-Yeah, I know where to change the limit # connections, but even if we make it as large as 200 that will still block legit traffic.

Hi there,

I'm with eMoney and we are still looking for something to automaticly block these things.

We are getting an attack from a network of users. Many of them will have information such as the following via cPanel:
Agent: Googlebot/2.1 (+http://www.googlebawt.com/bot.html)
Here is a full list of other agents used: http://forums.pcpitstop.com/index.php?show...158148&st=0
Here is some more information on the trojan I believe the bot network is infected with: http://en.wikipedia.org/wiki/Zlob_trojan

So really, the information we need to know is...
1. Can firewall script block this? (or does anyone know something that would)
2. Can firewall script block traffic to a single url?

Thanks for your help!

How bad is the attack? If its debilitating and the server cant process each request, then no- we cant currently block them.

HOWEVER- We are working on a iptables integration system, which would make your life much easier.