* turn down the TCP handshake timeouts
* turn on TCP SYN cookies
* watch incoming network connections and traffic logs and add firewall rules to block each suspected attacker subnet.
In a real DDoS you have to block the attack traffic at the TCP level, not at the application level (the web server) which means adding firewall rules or iptables.
You will end up blocking a lot of legitimate traffic but better than being 100% down.
Still getting hammered? On to phase 2:
* Launch mirror servers, change your DNS records to point traffic at the mirror. (Most attack bots don't follow DNS changes)
* If it's an application-level attack then put your site in static delivery mode.
Still getting hammered? That'll teach you to hate on Justin Bieber.
* turn down the TCP handshake timeouts * turn on TCP SYN cookies * watch incoming network connections and traffic logs and add firewall rules to block each suspected attacker subnet.
In a real DDoS you have to block the attack traffic at the TCP level, not at the application level (the web server) which means adding firewall rules or iptables.
You will end up blocking a lot of legitimate traffic but better than being 100% down.
Still getting hammered? On to phase 2:
* Launch mirror servers, change your DNS records to point traffic at the mirror. (Most attack bots don't follow DNS changes) * If it's an application-level attack then put your site in static delivery mode.
Still getting hammered? That'll teach you to hate on Justin Bieber.