Experiencing a DDoS on one of my GCP instances. What can I do?

I have a single instance running on GCP which right now’s suffering from a load-based DDoS. It’s a Debian-based instance proxying the traffic internally to a Geneweb daemon running on the same machine.

I recognized the server only answering with 503 Service Unavailable. Which I assume is Apache still responding while the daemon just can’t handle the load.

GCP’s Monitoring shows the instance spike. GCP Monitoring

tailf error.log shows incoming traffic. Screenshot Console

The instance is not load-balanced and has just default firewall rules. I’m rather inexperienced in advanced network administration, which is needed here.

Any hints? Recommendations?

Why is GRE tunneling is needed when having a BGP based solution against DDoS?

I understand that GRE tunneling is very handy when sending the data back to the client after scrubbing because it’s designed to ensure that the data is sent reliably by initiating a private point-to-point connection. My question is, why is this needed? Why can’t the data be sent ‘normally’, via the internet? Will data get lost if sent via the normal way? Is it to be sure that the data isn’t intercepted over the internet?

NTP ddos attacked


i have a cloudlinux/cpanel server be NTP ddos attacked,

normally,is it possible i do not close certain service or port and make the… | Read the rest of http://www.webhostingtalk.com/showthread.php?t=1767217&goto=newpost

What can be done against DDoS attacks when I just have only small number of “known” clients reaching a server?

Description of the Situation:

Let’s say 1000 “known” clients/workers are collecting time-sensitive data from the field and sending to a server. Therefore, we need to secure the server from DDoS attacks at a specific day and period of nearly 3 hours. It is expected to have DDoS attack during this process.

Question: What are the possible ways of securing this process for that critical period of time? Maybe load balancing + firewall for allowing only 1000 “known” IP addresses … etc?

Under volumetric DDoS can I prevent ISP null-routing by turning NIC off briefly?

A server in a data center is getting a volumetric DDoS attack. Congestion starts to build up and the data center/ISP going to solve this by null-routing (RTBH routing) the server’s IP address for several hours. However the attacks are much sorter, lasting for a couple of minutes.

A script running on the server, seeing the NIC maxed out turns off the interface (or deletes the IP from the interface), and is about to turn it back on in a couple of minutes just to see if the storm is over.

Would turning the NIC off drain the congestion so the ISP would not act and so the server gets through the pains by being unreachable only for the duration of the attack not hours?

I know the router connected directly to the server replies back with an ICMP ‘Host Unreachable’, but what happens after that, does that eventually trigger anything in the infrastructure between the server and it’s attackers?