Hi Jonathan, I checked with our services team and I understand this is now resolved - is that correct?

I set up mitigation through Cloudflare. Support had very limited input as they saw it as the customer's responsibility to fix so the customer asked me.

Hi Jonathan,

DDOS is probably everyone's nightmare scenario so it's great to know we have someone on the forum with some real experience in mitigation.

I'd love to hear how you got on with Cloudflare. I assume you went with the 'Business' plan, did it work well and is your client going to continue with it long term or is it something you can just sign up for as and when you need it?

Are there any tips or gotchas you think we should know about?

Mike

Hi Mike - I am just writing it up and will post later.

What happened and what did I do when a customer suffered a DDOS attack?

The customer phoned at 0930 to say their site was not available and inded it was showing 503 service temporarily unavailable.

I could get ftp access using the IP address but not with the domain name.

Shortly afterwards the client received an email from Sellerdeck advising them of a DDOS attack:

Sellerdeck's advice was to get DDOS mitigation and once the customer had resolved the issue Sellereck would consider reinstating the hosting.

What does DDOS look like: here is a bit of the log:


How the code was run, in unusual text in order more details boxes:



First step was to go to https://www.cloudflare.com/en-gb/ddos/

At the top it says 'Under attack?' I clicked, gave my number and a soothing American lady quickly phoned me back. It is clever marketing because she basically told me to sign up and it would all be OK but the human voice was a nice touch.

So I signed the customer up to the Cloudflare Pro Plan at $20 a month by credit card.

This is the Cloudflare control panel. There is an option on the right to switch on an 'Under Attack Mode' to show visitors a JavaScript challenge when visiting your site.




Cloudflare scans the site and gets your current DNS settings. For cloudflare to work you change the DNS Namesevers of your domain name to those given to you by Cloudflare. This means that all traffic to your site is monitored by Cloudflare who can pick up and mitgate any DDOS attack the moment it starts.



Your Cloudflare control panel allows you to edit the dns, they also publish a video guide:



Since the DDOS traffic was aimed at the IP address of the site Sellerdeck kindly gave a new IP address for the hosting. This had to be changed in ftp etc etc and would need to be advised to your payment processor if they need your IP address to recognise transactions.

The Cloudflare Support articles and video guide assume the mail server is on a different IP address which caused confusion as with Sellerdeck hosting (and my own for that matter) the IP address of the mail server is the same. This means you wll get a warning when you set up the DNS but I decided to live with that. Although if we have further trouble I will have to move them to a separate email service provider (see later).

However this is what Cloudflare say: The firewall tab allows you to set up filters, my experiments with this were not successful so I left it with no filters.
The other tabs allow comprehensive analysis and management.

Once mitigation was set up Sellerdeck reinstated the hosting, however none of the emails in the office were working.
As a precaution I then changed all the email passwords and we reset them in Outlook in all the office and other devices but try as I might I could not get Outlook to connect to the mail server.
It then transpired that Sellerdeck had blocked the customer's IP adress but hadn't mentioned it to them.
Several support exchanges later they mentioned that they had unblocked the IP address.
It turns out that

So now it is all working and being protected by Cloudflare for $20 a month which my customer regards as a bargain.

As regards Support it was clear throughout that although the customer had Sellerdeck hosting with four domains they did not see this as a support issue but as a customer issue. They did find the Coudflare video for me, change the IP address, and eventually unblock the customer's IP address so that was good. The main sticking point was the error message in Cloudflare for the mail server. It took a while before I realised that Cloudflare's support, to which Sellerdeck kept referring me, assumes a separate IP for mail which we did not have and is not available on shared hosting.

Finally I have learned that you can use a generic Sellerdeck mail server instead of mail.mydomainname.co.uk:

host000.sellerdeckwebhosting.co.uk

where host000 is the prefix of the URL you have been given to access your Sellerdeck hosting control panel - eg: host000.sellerdeckwebhosting.../login_up.php3

Hoping this helps, all in goodwill without warranty.

Thank you!

Hi Jonathon,

Interesting. Thank you for taking the time to pass on the details.

So it worked for you on the 'Pro' plan which is great.

Do you think it was the javascript challenge or Sellerdeck changing the IP address that made all the difference? I guess the attacker could always have changed the IP address they were attacking but once the defences went up there was little point in them continuing.

Edit: OK, I get it now. The IP of the servers has been exposed so even if you change the dns to point to the cloudflare servers that attacker can still go straight to the web server IP which is why it has to change.

One of the differences between their plans was what they call 'Use your own SSL Certificate' which isn't included in the 'Pro' plan. Looking at it though this seems to be about whether you get a shared or dedicated SSL certificate from Cloudflare in the plan. Presumably your client could just continue to use their own SSL certificate? (although I thought a dedicated SSL certificate needed a fixed IP address so hopefully there wasn't a problem there either.)

In which case the Pro plan looks excellent for us small ecommerce sites.

Mike

I have been with Cloudflare over 18 months now and highly rate it.

Luckily I haven't had to use for an attack, but as a CDN, and other services it is great.

Hi Mike - it has been a learning curve and I am no expert, as things stand it seems to work and the SSL is in place. I am sitting tight and hoping for the best.

I am experimenting with a Zoho account for hosting emails and it looks extremely promising.

We can see from Jason's sites (thanks Jason) that the customer/browser is seeing the cloudflare SLL certificate and I'm assuming that Cloudflare then uses the web sites SSL certificate to encrypt the link back to the server.

I'm torn between signing up for Cloudflare before I need it so it's there and I have everything working if I eventually need it and just leaving it until it becomes necessary. I suspect for now I'll leave it but it's great to know it's there and to have an understanding of how it works so thank you for the detailed post.

Mike

If you do 'Why no padlock' on the site it shows:

Certificate IssuerCloudflare, Inc.
Certificate TypeCloudflare Inc
ECC CA-3Issued On2020-12-08

In the Cloudflare control panel:

Thanks Jonathan,

Yes, that looks right to me.

Mike