Last December 26 and 27, we experienced a Distributed Denial Of Services Attack (DDoS). This led to problems with accessing our site, and Time Proof.
The attack came from bot network infected and under control of the perpetrators. All were focused to send out HTTP GET, POST, CONNECT and OPTIONS or other means necessary to flood (in our case, tsunami) our servers with these request and overwhelm it with replies, leaving the users unable to connect to our site.
Other parts of the attack include SQL injection and Browser hijacking by means of Header and User Agents.
The intent of the attack was to overwhelm the servers, and deny users the use of onlinejobs. It was not an attempt, not was there any data breach from the site.
PST = Pacific Standard Time (UTC -8)
Dec 26 at around 8:00 AM PST
A DoS attack was observed coming from Pakistan and presumably a test before the second attack came later that same day.
The attack was mitigated by blocking a set of Pakistan IP Blocks to stop it. It was successful and there was a short downtime of about 8 seconds due to webserver reload for the block and adjustments to take effect.
Dec 26 at round 4:00 PM PST
Another DoS attack was observed this time coming from the Philippines, which is presumably a test before the full attack.
The attack was mitigated by blocking a set of PLDT (ISP) IP blocks to stop it.
Dec 26 at 6:00 PM PST
The Distributed-Denial-of-Service Attack started, coming from all over the world and specifically from the following countries (not in order)
United States of America
And other countries
Dec 26 at 6:10 PM PST
Local server firewall installed cannot effectively block the attacks anymore and had led to the server resources such as CPU at RAM to max at 100% causing downtime and effectively overwhelming services and functionality of the site. The best way to stop it is to shutdown the entire server to possibly let the attack pass and stop in a few hours.
However, attacks continued until the next day and we can only dodge what was coming in by blocking IP address manually
Dec 27 at around 11:00 AM PST
After further deliberations to mitigate the attacks, the IT team concluded to sign up with Cloudflare services and started configuring what is necessary for it to protect our site.
Dec 27 at around 3:00 PM PST
Additional configuration was set at Cloudflare and waiting for activation of the service which took almost 24 hours.
Attacks still ongoing as of the date above and was only observing and adjusting what is necessary to manage all server resources adequately
Dec 27 at around 11:00 PM PST
Cloudflare is activated and the IT team started configuring Firewalls as well as enabling WAF and other attack mitigating functionalities
Dec 28 at around 7:00 AM PST
IT team continued to configure all the settings required for Cloudflare, AWS and the server to finally stop all the attacks.
Dec 28 at around 9:00 PM PST
All adjustments and configuration was running and the site is back online, Cloudflare is blocking all unnecessary traffic and exploits
The following graph shows the timeline as it happened above.
And here are the steps taken to mitigate and protect our site.