What happened last night? A story of DDoS

I received an alert from my filtering provider that my server was under attack. It was on the IP used for the internet gateway, which is interesting as I’ve kept everything pretty hidden with Cloudflare, firewall rules, and extra configuration. It felt like a targeted attack, but what caused this?

The attack started around 1:10 AM, by 1:11 AM I got the email alert and the filtering was killing off the traffic. My sites latency increased by 4ms, and it remained online.

I was awoken by the alerts and monitored it for about 20 minutes before returning to bed.

At 2:34 AM I received another alert that the attack was stopped, this makes just over an hour of attacking my infrastructure.

My service provider sent me a pcap file and some metrics, they measured the peak at 41.3 Gbps, sustained at 31 Gbps. They’ve suspected it was a botnet attack, which seems to make sense.

The flood was mainly DNS AMP, syn floods again. I’ve began to wonder why exactly the attack happened and what I can do to prevent them in the future. I’ve got my assets offloaded to a proper CDN, I’ve got DDoS protection on my IP ranges, and that seems for the most part to be good enough.

However, I’m going to start by upgrading my server bandwidth allotment, doing some QoS rules for traffic, and getting a hardware firewall in front of everything.

I’m considering switching to redundant 2G lines and dedicating 1G for my production infrastructure, 1G for my backend and internal infrastructure.

Now it’s time to find a hardware firewall, deploy some QoS rules and wait until the next attack, and I’ll see if my modifications helped!