Knowledgebase

Portal Home > Knowledgebase > Articles Database > Please help me to detect this attack


Please help me to detect this attack




Posted by kimkim2, 06-22-2009, 10:42 AM
Today my server is the victim of attack again. I tried my best to stop it i can't. Then, i need your help. Someone like to attack my sites. my site is imagesurfs dot com. At this time you will hard to load or take a long time to load. The result of command netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Command netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n This is my /etc/sysctl.conf My csf.conf and httpd.conf Timeout 20 KeepAlive Off KeepAliveTimeout 15 MaxKeepAliveRequests 100 And now, i don't know what kind of this attack and the way to stop it... I'm running in dedicated server.
Posted by Digivity, 06-22-2009, 11:29 AM
It seems to be a distributed attack and it is hard to prevent these attacks. I think a HAproxy setup with your server can help you. Just a suggestion... I am using Litespeed and for a long time, I haven't seen a problem caused by a ddos. This doesn't mean, Litespeed can't be flooded , but it deals with ddos better than apache.
Posted by inspiron, 06-22-2009, 12:47 PM
I think you should need to harden the seucrity of software as well as hardware firewall. If this doesn't work, then prepare for Anti-DDOS proxy shield hope this might help you.
Posted by Jonathan Kinney, 06-22-2009, 01:00 PM
Or it could be that you are just way too popular. Something like this could also be the result of an image or something being loaded from your server on a site that is receiving the DDOS. Though these are just other ideas, they are possibilities that may be worth looking into. For example, what are all of these IP addresses loading? What is their listed referrer? If either of those are blank in the logs, then it probably is directed at you.
Posted by hhw, 06-22-2009, 01:04 PM
Where is your target audience? You can try blocking large blocks of IP's for countries you don't expect traffic from.
Posted by linux-engineer, 06-22-2009, 01:31 PM
Hello Kimkim2, You can install firewall such as APF or CSF and write a script to find IP address Which has more then 5-6 simultaneous connections and block them in firewall. This will resolve this issue. Thank you
Posted by HD Fanatic, 06-22-2009, 03:36 PM
That will block legit traffic and not all IPs open simultaneious connections to attack. It probably send many requests per second. To the OP, why don't you give litespeed a try? I haven't had a ddos take down my websites after converting to it. *knock on wood* Last edited by HD Fanatic; 06-22-2009 at 03:42 PM.
Posted by mindbend, 06-22-2009, 09:24 PM
This shouldn't be too hard to block. tcpdump -n -s 300 -A dst port 80 | grep -o "\(GET\|POST\|[Hh]ost\).*" Once you find what they are attacking: iptables -I INPUT -j LOG --log-prefix "HTTP FLOOD : " -p tcp -d _ip they are hitting_ -m string --algo bm --string "filename.php" -m recent --update --seconds 60 --hitcount 1 iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "filename.php" -j DROP Then update httpd.conf with "Timeout 5". Wait about 10 minutes, then grep out the IP addresses from your messages file and start blocking them individually. Attack's effect should be nulled immediately and the attack itself should stop once all of the attackers start timing out.
Posted by kimkim2, 06-22-2009, 09:44 PM
Thank you. At this time the attack is stopping. I will try it when appear again. And thank you all guy, i will try all method.
Posted by HD Fanatic, 06-23-2009, 06:34 PM
Your site is 503 error now...
Posted by Deny, 06-24-2009, 01:50 PM
Looking to listed IP address it looks as many IP address come from China. I would suggest to block China IP ranges. Grab IP ranges from http://www.ipaddresslocation.org/ip_...get_ranges.php and block China completely. Maybe it will help.
Posted by mugo, 07-15-2009, 04:42 AM
HAProxy will help somewhat, it only passes through full requests, to the SYN floods just get mitigated, and dropped off easily, using little resources. There is even a special config you can drop in place here. Basically, just have it listen on 80, and your webserver serving up on 81,8080, or some other port. http://haproxy.1wt.eu/download/1.3/examples/antidos.cfg a bit bout how it can help you, 1st post: http://haproxy.1wt.eu/ Also uploaded an iptables script that blocks foreign countries, can REM out what you don't want to block: http://www.speedfile.org/861541 Last edited by mugo; 07-15-2009 at 04:47 AM.
Posted by linuxfan, 07-15-2009, 07:06 AM
Does it work with nginx?
Posted by mugo, 07-15-2009, 08:59 AM
nginx would be a replacement for that functionality. I would venture to say haproxy would handle the SYN flood a bit better. both are similar products.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Urgent: IP addresses do not work (Views: 481)
Multiple VPS to create a cloud? (Views: 487)
php rewrite mode in asp? (Views: 480)
[Little Help] XHTML Validation (Views: 492)
Apache configuration for 1.5GB RAM (Views: 486)

Language: