Introduction
This article is for new customers who are transitioning to X4B services as a direct result of currently being under attack. While every case is different we hope the following basic steps will be of use. These steps assume a Reverse Proxy style of setup (most simple). If you are an existing customer, and are currently experiencing issues with mitigation (e.g leaking traffic) please see the Adjusting Mitigation article.
Basic Steps
Step 1: Get a new IP. Keep this IP secret, do not share it with anyone, do not make it public via DNS.
Step 2: Get your currently under attack IP null-routed if it is not already. If this is your main IP you may need to get the SSH or other remote access software adjusted for continued access at a new IP.
Step 3: Setup your backend services to be exclusively bound to this new IP address.
Step 4: Setup your X4B DDoS Protection service to forward traffic to your new IP address. There are tutorials for many common setups in this Knoweldgebase.
Additional Notes
Please be aware:
- We can't mitigate traffic that is currently hitting your backend IP. Similarly we can't connect/route traffic to a nullrouted or offline backend server. Your server will need to be online to begin using our services.
- Your attacker already knows your backend address. This should now be changed, for this speak to your backend server provider.
- Good mitigation systems respond dynamically to attacks, detecting a difference between the learnt "clean" traffic and then new "attack" traffic. Routing traffic to us while already under attack does not allow the system to learn a profile for clean traffic, limiting it's effectiveness.
- Your backend provider may not be willing to provide you with additional IPs for free, normal fees for additional IPs are $1-3 per IP.
- Try not to expose your backend service IP inadvertently through poorly secured software or services.
Common pitfalls:
- Mail services: We recommend using an external mail relay. To ensure security check the mail headers for IP addresses.
- FTP services: Make sure to use the "FTP" type port.
- Fetcher services (i.e remote avatar fetching): These should be disabled if possible. If this is not an option either using a proxy, or an additional IP address is recommended.