TL;DR
Dealing with a Distributed Denial of Service (DDoS) attack where the source IP addresses are constantly changing requires a multi-layered approach. Focus on rate limiting, traffic scrubbing, and working with your hosting provider or a dedicated DDoS mitigation service. Blocking individual IPs is ineffective here – you need to identify and filter malicious *patterns*.
Mitigating DDoS Attacks with Changing IP Sources
- Understand the Attack: Before reacting, confirm it’s a DDoS attack. Look for unusually high traffic volumes, slow website performance, or server errors. Tools like
tcpdumpor your hosting provider’s analytics can help.- Check Logs: Examine server logs for suspicious activity and patterns.
- Monitor Bandwidth: Use network monitoring tools to track incoming traffic.
- Rate Limiting: Implement rate limiting on your web server or firewall. This restricts the number of requests from a single IP address within a specific timeframe.
- Nginx Example: Limit connections per IP:
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s; server { ... location / { limit_req zone=mylimit burst=20 nodelay; ... } } - Apache Example (mod_evasive): Configure mod_evasive to block IPs exceeding request thresholds.
- Nginx Example: Limit connections per IP:
- Traffic Scrubbing: This is the most effective method for attacks with changing IPs. Traffic scrubbing involves redirecting your traffic through a service that filters out malicious requests.
- Cloudflare: A popular option offering DDoS protection, CDN services and web application firewall (WAF).
- Akamai: Another leading provider specializing in content delivery and cyber security.
- AWS Shield: Amazon’s DDoS protection service integrated with AWS infrastructure.
- Geo-Blocking (Use with Caution): If the attack originates from specific geographic locations you don’t serve, consider geo-blocking those countries. Be careful not to block legitimate users.
- Firewall Configuration: Most firewalls allow blocking traffic based on country of origin.
- Web Application Firewall (WAF): A WAF analyzes HTTP requests and blocks malicious ones, protecting against application-layer attacks like SQL injection or cross-site scripting.
- OWASP ModSecurity Core Rule Set: A free, open-source rule set for mod_security.
- Cloudflare WAF: Integrated with Cloudflare’s DDoS protection services.
- Anycast Network: Anycast networks distribute your traffic across multiple servers globally, making it harder for attackers to overwhelm a single point.
- Benefits: Increased resilience and reduced latency.
- Providers: Cloudflare, Akamai often use anycast networks.
- Work with Your Hosting Provider: Your hosting provider may offer DDoS protection services or be able to assist in mitigating the attack.
- Contact Support: Immediately contact your host’s support team for assistance.
- Dedicated IP Addresses: Consider using dedicated IP addresses, as shared IPs are more susceptible to attacks.
- Blackhole Routing (Last Resort): If all else fails, blackhole routing can drop all traffic to your server. This will make your website unavailable but prevent the attack from impacting other services.
- Contact Your Provider: Your hosting provider needs to implement this.