My server is under DDoS attack – BitNinja Knowledge base

You are here:

BitNinja home
Setup and module configuration
My server is under DDoS attack

Estimated reading time: 1 min

In this article

1. Solutions:

The server’s load is high due to a Distributed Denial of Service attack (DDoS).
In the case of DDoS, the attack comes from multiple IP addresses at the same time. None of the IP addresses establishes enough connections at the time to identify the requests as DoS attacks, but their combined number of connections still causes issues.

BitNinja offers indirect protection against DDoS

No software-based solution offers direct protection against DDoS attacks as all requests need to be processed in some way. True DDoS mitigation can be implemented only via some sort of hardware-based solution.

Solutions:

DDoS attacks can hardly be mitigated by a software-based solution such as BitNinja.
Actual DDoS mitigation can be implemented only via some sort of hardware-based solution.

Our recommended settings during a DDoS attack against your server:

Enabling the settings below may inadvertently block legitimate services such as search engine bots, payment services, system health checks, and even your SSH connections. To prevent this, make sure the IP addresses used by these services are added to your BitNinja allowlist.

If you use BitNinja version 3.12.3 or above, you can find a configuration within the DoS detection module called Under Attack mode.
By enabling the above-mentioned configuration, the agent automatically applies the changes described below for the set time.

Set the DoS detection module threshold to 1 on all ports; setting it to 1 on the general option is not sufficient. In this case, you must edit the configuration file. The guide below can help you do that step by step.
https://knowledgebase.bitninja.io/kb/dos-detection/
By default, the module also blocks IPs for 60 seconds when the threshold is reached; we must eliminate this setting when we set the thresholds to 1 to prevent blocking every visitor for 60 seconds. To do this, navigate to the Configuration -> Advanced Modules -> IPReputation -> Times (Temporary blacklist time in case of suspected DoS requests in seconds.). And set this option to 0.
Now, as a last step, navigate to Configuration -> AdvancedModules -> AntiFlood module. Here, set the “Limit before getting on blacklist” value to 5. And the “Expiration time for the IPs in seconds” for 36000.

These changes will block every visitor who creates five incidents in a short period and put them on your block list for 10 hours.
Remembering and reverting these changes after the attack is finished is crucial.

In this case, we assume that everything is correctly configured.

If you use a Proxy, load balancer, or CDN service, the trusted proxy module must be enabled, and the X-Forwarded-For header must be set up correctly. The instructions are here.
If the WAF module is enabled, either the Transparent proxy mode or the X-Forwarded-For header needs to be set up. The instructions are here.

Was this article helpful?

It was helpful! It was not helpful