Some basic steps against DDOS Attacks

Before the attack

Before the attack has even started, lower the TTL of your DNS Entries to like 5 Minutes. If the traffic to your site get's too high, you can simple point your DNS entries to and avoid high costs when you pay per traffic etc.. Also you have the possibility to point your DNS entries to a professional DDOS mitigation service. With the normal TTL of 1 or 2 days, it would take ages (ok, 1-2 days... ) till the bots would change to the new IPs

What can you do, when you're under attack?

You can check on if you're on the target list of the minerbot (if you're not on the list, that doesn't mean you're not under attack, buf IF you're on that list, you can be sure that it's the minerbot)

  • Easiest thing is to block Requests that have the "Accept-Language: ru" header, since most (all?) targets of the Minerbot are german sites, this shouldn't affect too much of your customers.
  • If you don't want to block anyone at all, a reverse proxy like varnish might help you. Varnish not only keeps the traffic away from your application by caching it, it also serves the content very fast (the difference might be like 600ms from your application vs. 50ms from varnish) so the connections to your site are also closed faster which should help in reducing the number of concurrent connections to your site.
  • You can also rely on a professional ddos mitigation service like verisign internet defense network. Here you just point your dns entries to the partner and they will take care of the traffic, you'll only see the washed traffic at your servers. This is probably the easiest solution, but also the most expensive one..

Blocking by HTTP Headers and caching with Varnish will help you against the currently HTTP Flooding. But the Minerbot also has an UDP flooding module, there you can only hope that you have either a good provider that helps you to block the traffic before coming to your server or you're using services like verisign, that can handle the traffic. For example the UDP attack on our site had a peak traffic of 7 GBit/s, but we only have a 1 Gbit/s connection... We can block as much as we want on our site, if we can't handle to block the incoming traffic before going through our connection, we're dead.

Update:If you're using some tracking like IVW/AGOF or just plain google analytics, you might want to disable that or check with your partner. Since the bot executes javascript, you'll see strange numbers. IVW informed us that they even might take us out of the ranking (which is very uncool if that would happen..)

Blacklisting by Accept-Language can be done by putting like this in your apache configuration: RewriteEngine On RewriteCond %{HTTP_ACCEPT_LANGUAGE} ^.(ru). [NC] RewriteRule ^(.*)$ - [F,L] (I haven't tested this yet, but like this should work :D )