Before the attack
Before the attack has even started, lower the TTL of your DNS Entries to s.th. like 5 Minutes. If the traffic to your site get's too high, you can simple point your DNS entries to 127.0.0.1 and avoid high costs when you pay per traffic etc.. Also you have the possibility to point your DNS entries to a professional DDOS mitigation service. With the normal TTL of 1 or 2 days, it would take ages (ok, 1-2 days... ) till the bots would change to the new IPs
What can you do, when you're under attack?
You can check on http://www.ax10m.de/minerbot.html if you're on the target list of the minerbot (if you're not on the list, that doesn't mean you're not under attack, buf IF you're on that list, you can be sure that it's the minerbot)
- Easiest thing is to block Requests that have the "Accept-Language: ru" header, since most (all?) targets of the Minerbot are german sites, this shouldn't affect too much of your customers.
- If you don't want to block anyone at all, a reverse proxy like varnish might help you. Varnish not only keeps the traffic away from your application by caching it, it also serves the content very fast (the difference might be like 600ms from your application vs. 50ms from varnish) so the connections to your site are also closed faster which should help in reducing the number of concurrent connections to your site.
- You can also rely on a professional ddos mitigation service like verisign internet defense network. Here you just point your dns entries to the partner and they will take care of the traffic, you'll only see the washed traffic at your servers. This is probably the easiest solution, but also the most expensive one..
Blocking by HTTP Headers and caching with Varnish will help you against the currently HTTP Flooding. But the Minerbot also has an UDP flooding module, there you can only hope that you have either a good provider that helps you to block the traffic before coming to your server or you're using services like verisign, that can handle the traffic. For example the UDP attack on our site had a peak traffic of 7 GBit/s, but we only have a 1 Gbit/s connection... We can block as much as we want on our site, if we can't handle to block the incoming traffic before going through our connection, we're dead.
Blacklisting by Accept-Language can be done by putting s.th. like this in your apache configuration: