I run a new but popular gaming server-list website and have just had my node closed for 24 hours due to an (apparently) severe DoS attack.

Linode tell me there's nothing I/they can do but I am not convinced. As this is my first experience with a DoS attack, I would like to at least make it harder for the attacker in the future but I don't really know where to start.

I'm a programmer not a systems administrator and I could really use some expert advice!

Thanks in advance!

If there is enough traffic coming in that Linode shuts you down, then no, there is nothing you or Linode can do without spending a lot of money. You can try putting CloudFlare in front of your linode, but most of their DDoS mitigation features are only available on their business-level plan that starts at $200/mth/site, not their free or $20/mth service. Still, it couldn't hurt to try, and I believe they do have a feature that can serve up a static site if your origin server goes down.

Thanks for the suggestion of CloudFlare, I may use that regardless and having a backup that I don't have to change the DNS to would be handy as well.

As for the server, I changed the IP, locked down the firewall, installed mod_evasive for Apache and installed fail2ban to help block unauthorised SSH. Handily, I asked the systems admin at work to take a look as well and he's monitoring it closely and giving me some more tips.

I'll see how it goes now, if not I may have to add a third-party like CloudFlare, even if it's just temporary until the attackers get bored.

It isn't quite clear to me from this plus your first post if your node being "closed" was due to upstream steps to alleviate a DOS attack, or just that your node itself couldn't handle the traffic? Which it is makes a big difference on how much control you have.

That's important because while all of the above can be helpful if it's your own node's behavior in response to an attack that is the issue, if the attack is large enough to draw upstream attention (whether Linode or Linode's providers) which most likely results in blackholing the traffic, then odds are that none of the above (aside from the IP change if the attack isn't using DNS) will change that.

-- David