Understanding DoS vs DDoS
DoS (Denial of Service): A single IP establishes multiple connections. BitNinja blocks this IP once it reaches the configured threshold.
DDoS (Distributed Denial of Service): Multiple IPs establish relatively few connections each but overwhelm the server in aggregate. This makes the automatic detection using tools like BitNinja more difficult since no single IP exceeds the threshold.
Note: True DDoS mitigation requires hardware-level protection. Software-based solutions like BitNinja can only indirectly mitigate these attacks by filtering known malicious IPs and controlling thresholds.
Determine if the attack is DoS or DDoS
Checking the connection numbers is a simple way to determine what kind of attack is being conducted against your server.netstat -ant | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
If you see only a few IP addresses performing hundreds of connections to your server, it is most likely a DoS attack.
If the individual connection numbers are few, but there are hundreds of entries, it is most likely a DDoS attack.
If the individual connection numbers are few, but there are hundreds of entries, it is most likely a DDoS attack.
General Recommendations
- Use the IP reputation system: BitNinja blocks millions of compromised IPs via its challenge list and block list.
Bulk adding IPs to the challenge-/block- and allowlist - Block unnecessary countries: Under Firewall → Blocklist, deny countries irrelevant to your business. Country block
- Adjust the DoS module threshold: You can do this from the Configuration → DoS Detection menu or the CLI. My server is under DoS attack
- Enable Under Attack Mode: This can be enabled from the Configuration → DoS Detection menu. My server is under DDoS attack
- Enable rate limiting (last resort): This limits connections per domain but may impact legitimate users. Rate Limiting Guide