I’m require a little information about DDoS attacks.

I have a website that some people would frown upon, therefore in some countries it may require the user to be a little more discreet so they don’t raise any suspicion from the authorities from where they reside. Now, I’ve noticed a certain IP, 86.96.228.89, is using over 30 gig a day, It’s a proxy server in Dubai. I know they filter lots of “sites” so could it be half the population are viewing the site via that proxy so they don’t get rumbled. Or does it bare any resemblance to a Dos attack? Do DDoS attacks increase the bandwidth usage?

Anyway, any help would be much appreciated.

Thank you.

BTW, I have mod_evasive and mod_security.

Is it constant bandwidth suck, or is it randomly? Does the usage pattern meet the usage pattern coming from other IPs?

DoS attacks (denial of service) may match your description. DDoS (distributed denial of service), not so much, since all of the traffic concerned is coming from a single host, and therefore not particularly distributed.

In your case, how does the traffic coming from that IP compare to that coming from others? Also, is it significantly slowing your site down? DoS attacks are meant to cripple sites, and usually cause extremely high load. They also tend to be less about bandwidth and more about CPU time, which typically is achieved by maximizing the number of requests to your server rather than the amount of data downloaded per request. So the other question is, how many simultaneous connections are typically open to this one host, on average?

Thanks for your answers guys.

The traffic coming from that one IP is probably 10 times the amount as everyone else’s. There is also another IP that is using around 20 gig of bandwidth a day from the exact same location. It’s not effecting the site whatsoever, we can easily manage Terabytes of bandwidth per day.

I’m 90% certain its nothing malicious. I’ve done a bit more research and spoken with my programmer, we think it is that everyone is using the same proxy to access our site, both IP’s are in Dubai so I’m guessing people are trying to avoid raising any suspicion from their ISP. I’ve also noticed a massive flux in traffic from that region too. I’ve modified mod evasive and changed its email alert address so I now receive emails from Apache. Should anyone attempt a dos attack I can easily block there IP.

I also have a Cisco firewall, would that stop a dos attack?

Cheers

I'm not too familiar with how Cisco firewalls handle DoS attacks, but it's possible. Still, if the traffic isn't even putting a dent in your capacity, then that in no way qualifies as denial of service

Do you have a login access to your site? If so, you can guesstimate if it's a bandwidth horny...err HUNGRY... user, or if it's just a high number of users on that same proxy (assuming that's what it is).

Nope, if it was a DOS attack your site would already crash regularly, a DOS attack
is usually an unrelenting series of service requests.
Although at times it may be intent on sucking up bandwidth, the standard DOS attack
comes more in the form of multiple data requests in very short succession.
By multiple I'm talking as many as possible, thousands a second and more, most
servers won't stand up to one for more than say, 20-30 seconds at a time.
If such is the case, one can temporarily ban the offending IP via .htaccess, then start
doing some research into effective scripting that helps prevent it (because banning IP's
becomes unfruitful quick).

More, or just as likely the source of your problem is image harvesting software, I forget
the proper term but it's basically this program people use to gather only images from
however many Web sites, it works a bit like a search engine except the user never has
to visit any of the Web sites.
These bots will consume your bandwidth.

There exist htaccess scripts designed to help prevent this nonsense somewhat as well.
Basically you will want to deny access to any and all non-friendly bots, via the htaccess file.