So after a recent DDoS attack on one our sites that took down all sites on that server Ive started looking into ways to stop this being such an impact on all sites. If the site under DDoS goes down, I can deal with that in another way. It's the other sites I'm worried about.
I can deal with memory usage easily enough using the Maximum used memory setting, all good. But for CPU usage it doesn't seem to be so simple.
My approach so far has been to use CPU Monitoring with the following settings:
- Maximum CPU Usage (percent) – 60
- Refresh CPU usage numbers (in minutes) – 5
- Action Performed – Shutdown
With these settings (when running a test that hammers the CPU), after about 90 seconds (no idea why its 90 seconds?!) of the CPU usage being over 60% for that worker process the following occurs:
- Message in event log, "Application pool 'TestAppPool' exceeded its job limit settings"
- About 10 seconds later the Application pool is stopped.
- About 5 minutes ("from Refresh CPU usage numbers" setting) later it is restarted automatically.
This isn't great because if its a constant DDoS attack, 5 minutes later the App pool is going to get hammered again.
Essentially what I want to achieve is that one site getting hammered doesn't bring down others on the server, I don't even mind if it gets permanently stopped until I rectify the issue at a firewall/networking level. Ideally, I don't really want to use Request Queue Limit either as I have found in the past that with fluctuating traffic on multiple sites this can be a nightmare to manage.
Am I going about this the wrong way? How do systems like PLESK or other shared hosting environments deal with something like this?
Cheers!!!
Best Answer
I would like to suggest that you try the Dynamic IP Restrictions if you use IIS 7. This module can easily detect and prevent DOS attacking by dynamically blocking malicious IPs.