I am currently reassigning my clients one by one to different IP addresses. This attack is coming at one website domain name. We are not sure which website at this time. However, moving websites to different IP addresses will help us figure out which website is the one being attacked. It is likely that when I move that particular website over to a new IP, the attack will follow it. If the attack does move I am not sure if it will let go of the original IP address or attack both. However I am moving websites to different IP addresses and moving the websites that I would think could be attacked to their own IP addresses. Like I said, I have no clue which website the attack is pointed at. IP addresses are not cheap and I have been adding them like crazy. After we are in the clear I will probably be making additional adjustments as well as making it an option for my clients to add an IP address to their hosting package so that they have their own IP that is not shared with other users.
As I make these IP changes you may begin to see your website come back up. There are many internet service providers in our area and all over the world and each of their systems have to update. This can take minutes to a full day.
This is an explanation from my system admin of where we are at and what possibly may have happened.
DDoS attacks don't have much to do with your server's configuration.
Usually the reason that these attacks happen is that you have a site that is
running on your server that either offended someone, or is being extorted by
someone who has the resources to amass an attack.
A fair number of computers out there, be it someone who leaves their computer
on at home, in an office, or at a university, with malicious software
installed, can take a server down with their combined resources. Usually these
infected systems "phone home" to an IRC chatroom or the like, where
an individual can issue commands to attack a target.
Despite the mechanics, there is simply no way to filter this traffic out. 4
Gbps of attack traffic outmatches your server's network link by 40x.
I'm sorry, but we're going to have to leave your server's IP
blocked until we see the DoS end.
