6:49 - It was DNS. RedShirtJeff.com

Currently on the Cyber Security road and it is amazing how much I have learned from this video, "DOCUMENT EVERYTHING".

the big question is why would anybody waste all those resources to ddos a content creator personal website. Tell us the truth, you have been working with secret stuff and these are the other secret agents coming at you

Some people are sad and have too much time. Why would anyone DDoS Jeff's site?!

I feel your pain Jeff! Each time I released a video talking about self-hosting security I get DDoS'd

Thank you for sharing @Jeff. As someone who was on an IT team which dealt with a Top 3 (at the time) attack where they sustained 300Gb/s and wreaked havoc on the network. I can relate. Good luck keeping ahead of the botnets!

Wow. That’s nuts. Great learning experience and love that u share it. Much appreciated

Thank you Jeff for this very topical video. I've been doing IT since the early 90's (yes I am older than dirt) and DOCUMENTATION (often paper notebooks) is the best bit of information to take away for those who watched this video.

One suggestion to make this kind of DDoS less problematic: Use two servers. One that will be handling heavily cachable data for most people and another one for handling POSTs etc. This way if you get DDoSed, only the vulnerable POST server will get hit, and the GET server will survive pretty much unharmed. You will loose the ability to send comments, but the website will still be up and fine.

Awesome breakdown Jeff! This really affirms everything I've learned in my job so far! I've certainly learned about DDoS, but never seen such an eloquently "documented" video, describing your real life, personal experience in a timeline manner. Happy Cloudflare came in and saved the day. And of course, the obligatory, "Thanks DNS, thanks" 😒

This is one of those videos that makes me realise I don't know as much about computing as I thought I did. Time to spend the day googling acronyms! Thanks for sharing your experience Jeff.

Thanks! I appreciate all your arguments here, and the wonderful breakdown of the information. I have always argued for monitoring, however, rarely implimented it correctly. :P

I had this happen to me once before! Instead of doing what you did, I decided to make my site give a link to youtube... A rickroll link. After that, I added captcha and then my site got up. Meanwhile for some bizzare reason, the rickroll thing i added actually attracted more attention as my friends who knew about my site started sharing it around lol. I didn't know my site was down until the 2nd day, added the rickroll on the 2nd day, left it like that for almost a week. (Was also at the same time getting a new machine to host the thing.). So yes rickroll helped me.

"I got hacked, because i revealed my infrastructure" *Makes additional video exposing more of the infrastructure information* Red shirt jeff should have done this video lol Thanks for the explainer, always appreciated

I see you can use pretty nifty awk and friends. The usual thing I do in these cases is to use it to select, say, all IPs that requested more than 10 pages without ever downloading any other resources (CSS, JS, images whatever is required for your pages). That always works because these DDoS do not simulate browsers completely so it is easy to differentiate robots. One must deal with legit SE later. Then I feed the firewall. Once it runs again there is a plenty of time to do other things. The biggest list of IPs I selected that way was 35.000 individual IPs during one attack. Also there are those tell signs, that you can target with grep|cut|awk|sort|uniq|... most of DDoS attacks rotate UA strings that get logged in your logs. So selecting and grouping all requests from given IP and seeing how many different UA strings compared to requests is there turned out to be very often a reliable way. With other signs it is close to 100% accuracy. Not to mention that if all it does is to hit POST page then it is easy to identify all "weird" IPs. Worst cases are those DDoS attacks that simulate a normal browsing. I've seen behavior where there were sequences of dozen or so pages that each robot followed pretending to be a normal user. That was a tough one because server was under pressure and everywhere I looked all appeared to be a legit user browsing until you figure out that all you see is the same browsing sequence over and over. I added logging of select cookies and some HTTP headers like supported languages and such so I have more info to use for selection. Those robots very rarely support cookies. Especially tracking JS-set cookies is something attackers don't support. But lately I noticed that few attackers were stuffing standard cookies like tracking cookies or session cookies with random numbers but it is really rare.

Thanks for sharing Jeff. Good that you dealt with the problem and gained the experience from it.

So from what I'm gathering from your analysis: For the home guy with limited bandwidth and hardware your options are: 1. Buy a PaaS (i.e. Cloudflare) 2. Shut 'er down

whoever comes up with a way to pinpoint DDoS attackers so we can reach out and slap their physical faces should win a Nobel prize

Please, more videos about prevention of ddos and ransomware, btw brazilian here, sorry for our country been a part of the attack IT security here is minimal.

Who would have anything against a RaspberryPi guy? Big Arduino?

This was great. I was debating putting my website behind Cloudflare in preparation for an attack that I can't cope with myself, along with some of their other offerings (like the new anti phishing email stuff). I too am not a fan of the centralisation of traffic but for now it's about the only option we have, and CF are still "good guys", at least for now.

Hope no one hits my site with a DDos attack. Glad you made it. Thanks for sharing.

Curious how those attackers choose their targets. Jeff's web site of all things? Makes no sense at all.

Smokin Video Geoff. In 11 minutes you've covered just about everything I know about mitigating DDOS attacks. Took me years. My brain is getting old

I don't know much about it, but I've run across the github repo for Gatekeeper. Its open source DDOS protection. I'd be curious how well it functions in practice, or how hard it is to get it configured correctly.

0:54 It's a good thing you use CRTs. The lack of smart features make them UNHACKABLE!

"Anton died so that we could live!" - Gilfoyle, Pied Piper

The nice thing about cloudflare tunnels, is that it turns an incoming connection into an outgoing connection. Which is pretty handy when you want to host a site and you're behind a CGNAT.

Nice documenting the attack. Also looking forward to the GPU project for the pi. Looks like someone deserves a well rest this weekend 😜.

Jeff, it's very cool of you to share what happened, how you responded, and what you learned. Content like this is why you earned my Sub years ago, and why I keep coming back for more.

When I saw your video about the cluster on a farm I was curious as to why you didn't have it behind Cloudflare. I agree with the idea of not contributing to centralization, but there are too many bad apples out there to not have a layer of protection like Cloudflare IMO.

40 Mb/s Attack seems HUUUGE, Then I remembered the SpamHouse attack cloudfare protected, and it was somewhere along a 1 TB/s attack. Cloudfare is amazing AF!

Years ago already the adagio was that the only way to stop DDOS is making sure your pipe is bigger than theirs. There is no way around companies like Cloudflare who have the budget for those big pipes.

"I'm not an idiot" Red Shirt Jeff edited in "Debatable" I bet lmao

Holy cow you saved me! I amexperiencing this rn!!!! Thank so so much.

Man! You are AMAZING! This is the first time I have seen your videos; there is a LOT of value here! Thank you!

I accidentally dosed thr online learning portal for my college once . The webpage wasn't loading I left the tab open and did other work. 2 Hours later the admin knocked on the door of the study room asking if I was in there 🥺😱 what. He was cool about it I had no idea I took down the website 😅

I once saw a server rack that had a glass window. There was a sign inside that read: In case of DDoS attack, break the glass and cut the cables.

Good to hear you are back on line and in 1 piece after this. Can you suggest how I would test/monitor my IoT, Raspberry PI's, Network, to see & monitor if I am contributing to a BOT net? Cheers

Bro! Awesome video! Love the shirt. I still plan on getting into IT professionally instead of just studying, and tinkering, and grumbling about every commercial setup I see or have problems with. Love the shirt and just bought one!

Note that using a firewall (instead of Cloudflare which he uses in this video) doesn't work if you have a limited line to your ISP. If the strength of the DDoS attack is bigger than your incoming internet line, only person in charge to stop the DDoS is your ISP or upstream hosting provider. This because even if you have a imaginary, perfect, firewall that is able to absorb 100% of the DDoS attack and let 100% of legitimate traffic in (which doesn't exist in reality), your internet line would still be swamped with the DDoS attack, which means the filtering must happen before the bandwidth is reduced. Another reason mitigations must be upstream, is if you have a so called metered connection. Even if your firewall blocks the traffic, it will usually still count against the metering, why you need to talk to hosting provider regardless. As saw in the video, he is using Cloudflare, which acts as a big firewall before it even reaches your hosting provider, thus your smaller internet line isn't affected. This is equvalient with mitigating at your hosting providers' backbone. Smaller DDoS attacks however, can be mitigated with a good anti-DDoS protection to not load down the server.

I love the transparency of your content/tutorials. As for monitoring I use NEMS myself (awesome package).As for mitigating the 3rd attackon your site, 30 mins response/mitigation... KUDOS! Cheers from a fan!

Documenting everything is the type of advice that seems obvious but is easy to skip over. I wish I had documented it, but in the past I dealt with what appeared to be a pretty small DDoS attack that turned out to actually just be a clever way a virus was trying to phone home. The domain was a simple two word name, and what I seem to remember is that both of those words happened to be in an array the virus would use to build a long list of domains to try phoning home. The malicious party could easily come back after buying a different domain from the list if they were ever shut down, and I assume it made it harder to trace back to the creator since many of the randomly generated names were already owned by legitimate sites like mine. Since my memory of it isn't great I really wish I had followed that advice, because it was an interesting learning adventure.

Previous video was talking only about frontend nginx on VPS - doing caching etc. So what was php-fpm doing on that VPS and eating resources in ddos case? It was supposed to be nginx only doing cache and pushing things to backend on raspberry pi cluster. So no php needed at all on vps.

yep I can confirm this, most people in my country don't care about cybersecurity even on a government level, no wonder how many botnets have already been installed on individual devices

I run quite a popular website that gets multiple daily massive DDoS attack attempts. Cloudflare is a godsend as without it there is no way the site would be able to stay up. I have got quite a bit of complicated rules running on CF to help prevent these attacks. The best thing is that CF has really great API's so I have been able to automate everything to keep the site online

This is basically an advertisement for cloudflare... you didn't handle anything. Also 3000 requests per second? That's pretty weak bro.... 2kpps is minimum alarming level for most DDoS mitigation products.

"How I survived a DDoS attack" - "I waited until they were done"

bro said hundreds of countrys

10:53 I know the pain, it was 5Mbps up before I we switched from Comcast to Fidium now its 1Gbps up symmetrical with my down for half of what you pay.... which is nice.

Sad to hear that, I run my own little Dark Web site hosting satellite images on a Pi4B 8GB using Nginx. I hope I never experience this. EDIT 2022-03-16 19:46 UTC: It’s a static site so not that much going on, it’s meant to be lightweight. No JS, only CSS for styling using Atomic.

*adds Jeff's website to the list of websites unreachable when cloudfare has an issue again* Would love to see a project of where you make your "own cloud flare" so it won't be affected by outages like half of the Internet at this point but still be protected

OMG Jeff I hope the attacks didn't took too much time from your family time. I admire your work and honesty, so for that reason is heartbreaking to see you being punish, for your good work and honesty.

reminds me on the Mirai Botnet that managed to shut down a quite large part of the internet back in 2016. Some kids managed to create a massive botned in an accident, and then launched an Attack to the wrong IP, causing the DNS provider Dyn to run into issues. Dyn provides a DNS service for websites like Spotify, soundcloud and Twitter.

A question, could Cloudflare prevent this? Edit:Nevermind, I got the answer.

Several years ago, I had noticed my bandwidth taking a hit. I went into the network monitoring on my router and watched my router being slammed by requests. They were hitting the dynamic IP assigned to the router by my provider. Thankfully, only a slow connection was the only result.

Mine also got ddos Thks it might help me.

Great video, on all levels! Great work and thank you for sharing!

Was it DNS?

Good work, man! This is awesome, and inspires me to beef up my website more.

When you are as smart as Jeff, you can make a whole video on why your viewers are not able to view your website and gain even more views. Take that DDoS attacker. 😂

I have to say I laughed at '..maybe I shouldn't have tempted fate..' part. You just know people would've thought 'Yeah, we gotta see if we can beat this website into submission!'.

I enjoy your videos for entertainment. When I let my head get out of entertainment mode and back into semi work mode I learn a bit and enjoy your videos more. Thank you.

1. Identify 2. Probable Cause 3. Test 4. Implement 5. Verify 6. Document A+ drilled these steps into my head.

Nice from you to not stop sharing man... Really learn a lot from you...

Yup, that thumbnail is 🔥 (And I've tried to get my team to adopt your "it was DNS" shirt for our team uniform, but so far no go.... 😉)

I have it set up like this asweel, block everything but cloudflare. You could also set up rate limit rules on Cloudflare, but you have to be pretty relaxed with that, especially if, like you said, drupal has some weird ways of doing things. Also you could try something like High availability proxy, and once the server get's bombarded by a DDOS attack it would reroute traffic to a server with much stricter rules. This last part is just something I thought of now and am not sure how it would pan out.

“How I survived a sneeze attack” up next on this channel. So glad you’re alive bro

God bless you Jeff! We're all with you brother.

This was a great video! Real meaty subject with good level of detail

My home lab has 11 subdomain, I've never noticed a ddos attack because my websites can all do a api call to my firewall and shutdown individual ip from getting to my reverse proxy server. If to much traffic inbound traffic it limits the ip, if that ip continues requests it bans for 1 hour then 24 then firewall redirect all web requests to a removal requests form which requires email code. Which you have access to for 24 hours then blocked forever. Currently my firewall has 52121

It’s sad that most of the DDoS traffics are from my country. A lot of people here use pirated and questionable software on both their phone and laptops without checking it first. I had my home ISP address blocked, and later found out that one of my family member’s laptop were infected with trojan and participating in DDoS.

Holy!! You too?? Wondering how much sleep you have missed, it did not show. Good work Jeff, keep up the great work!

This video is amazing, some of us like to self-host things but that comes with risks we need to be aware of!

Only issue with CloudFlare is that they're very good at what they do that we become quickly reliant upon them for everything, Leading to all eggs in one basket. We need more CloudFlare like services. Also touching upon the learning, Doing away with PHP by choosing a concurrency native language like Go can help build distributed web-services without 3rd party frameworks incl. a web-server like ngnix. Not to mention the massive performance gains by ditching python and thereby saving hosting costs.

Yep, it has gotten bad of late. I had a "what's that noise" event when an alarm went off for the first time last week (10 years after install).

If it is a flood DDoS, you can't blocked it by your own, it is attack your circuit.

Thank you for sharing. Documenting as much information as possible is an incident response 101 for pretty much everyone who is hosting their own servers. Of course, not everyone runs high-profile websites/projects to require very extensive monitoring, but some level of monitoring is pretty much a must. And monitoring is useful not just for cyber incidents but for monitoring overall server health too. A good example of a tool many admins don't bother to set up is root emails. They aren't that hard to set up and a simple email from smartctl that you hard disk is going south can prevent data loss and downtime. Or an email telling that your backup script didn't run properly.

Amazing video! Keep up the good work.

Thank you for sharing your experience Jeff.

It’s always good to have the experience of this if it doesn’t effect your pocket.

Hey Jeff! You could try to use Crowdsec

While doing our charity stream to fund the British Red Cross, we had about 10k requests/second on various public services. This went on for minutes, then stopped for a few minutes, then erupted like that again. This killed the Stream for several Minutes

"How I survived a DDoS attack" The DDoS wasn't big enough to knock you out then.

Thank you for sharing your insights on this. I'm using the Cloudflare Argo Tunnel. It's super easy and the big benefit is, that you do not need to open port 80 and 443 for inbound traffic. I can also recommend to use an AWS Lightsail instances - they are cheap, fast ...

For Network monitoring I can recommend PRRG it’s quite powerful with lots of sensors prebuilt, you can even create own sensors for numerous systems

Are you going to post a list of the attacking IP's? I'd love to compare that with my honeypot stats or even the list Russia posted of ddos attackers hitting them.

Loved this deep dive into this, bell and subbed for sure.

I hope you have your PI Cluster behind a Pf-sense Router to stop virus attacks and other types of attack.

I just stumbled in to your site, and at my green level of understanding,I am just terrified to use my devices at all. Just unplugged my internet and went to bed. May go old school off grid,yikes!!! what an education. thnx

I have been in this field for a while now, and my website is being viewed by thousands of users daily. As a result, I got excellent Cloudflare rules to prevent bots from attacking any of my website content and rate-limiting on Nginx and access.log monitoring on my backend to enable custom Cloudflare rules. While doing all of this using a free plan on Cloudflare, I can safely say it is an end-game. I can block Million requests per second without much worry, and if my CPU goes high enough, the captcha is always here to stop everything.

Hi Jeff, I'm not sure if you're aware but the Cloudflare tunnel client (cloudflared) is actually an open source project. It would also help fix your CG-NAT problem. I've not used kubernetes but dabbled with docker swarm for a little while so I'm assuming it behave in a similar fashion. On the swarm you can run an instance of cloudflared on each node meaning (as long as every pi has an internet connection) you're no longer reliant on 1 node for the ssh tunnel. Love the channel. Thanks

That's nuts, I put together some scripts that help with stuff like this, I'll probably make a video on it sometime for NGINX.

I personally faced this problem on a game server and my horrible VPS provider did not provide any DDOS protection, first thing i did was to switch to a different VPS provider but something i've learned is to never open port 80 on a VPS server unless you host a website on it but later i removed it and put it on a hosting. Second time i faced this problem was on my website and there was a horrible attack, honestly there wasn't a perfect solution but cloudflare did help me

Oh interesting, I’m considering similar setup, but my idea was to build my own anycast cdn on vultr. Vultr because it’s the only provider which supports bringing your own ip address space so in theory I could expand the service to other service providers

Cool info, thanks for sharing, well done :)

A "smart' device is as smart as its operator/firmware-updates, even then it can host backdoors (which can come to light using network monitoring tools). I really like your transparency/OpenSource mentality

It was the power of PI's that prevented it, believe me

Eye opening. May redesign BTC node plans, as well as the Doom2 multiplayer build :)

Brazil is in the list of attackers. What a shame. 🤦🏻‍♂️