[Web4lib] Anyone Have Experience With DDOS Attacks?

[Blake Carver]

I'm looking for any ideas that anyone might have to help defend
against a DDOS attack I may have over looked. I'm currently using a
combination of mod_evasive, mod_security, 3 shell scripts I wrote, and
a modified version of SSHBlack. These are all watching for patterns in
httpd access and error logs, and then firewalling the offending IP via
iptables.

I'd love any novel ideas that might help me keep things running
smoothly till this blows over.

Here's a bit of the back story:

One of my hosted sites came under attack starting on Friday by a
pretty big botnet doing Trackback, comment and link spam. They're
targeting quite a few different domains on the server, but hitting one
extremely hard.

They're hitting mostly MT and WP comment forms, but they're also
throwing in some referral spam for good luck. It also looks like
they're adding new computers to their network all the time because
there seems to be a big jump in new IPs around 7 am EST, and then
again about 4 or 5 hours later.

I still don't think they're out to bring down the server or that one
site on purpose, but I can't be sure. If I had to guess they simply
have something misconfigured on their botnet and as a result one site
is getting destroyed.

I'm fine tuning the scripts I use to detect & block the bad guys, and
I think they're getting pretty accurate. I added a new one last night
that did a great job in finding several hundred new IPs. From what I
can tell I'm doing a good job at only blocking bad computers, I've
only heard from one person that I can't seem to unblock for some
reason.

Thanks!

Blake