While working with different issues, I have seen that many clients complaining about ddos attack on their server. So, I am posting here some useful commands to check and prevent ddos attack.
First of all when you see that your site's or server speed is very slow even though there is not much load on your server, you can guess it might be ddos. Then run 'top' command and see which processes is more, if those are httpd then fire following command
which will show how many active connections your server is currently processing.
netstat -n | grep :80 | wc -l
netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems.If the second command is over 100 you are having trouble with a syn attack.
My site was recently under a DDoS attack and was down for a few days, the attack came from Russia i believe.
The people who did it asked for $800, but of course i didnt pay. My hosting company did the best they could in order to stop the attack but it still lasted a few days and badly hurt my rankings.
I moved my site to a dedicated server, but i dont know what kind of software/hardware i need to install on it in order to prevent more future attacks, the hosting company suggested a few things but i dont know if they are just trying to get more money out of me.
in the last couple of days we really have problem accessing web service, while ftp, ssh, work fine. While we getting connection time out, the load on the server is really load around .2 and get numerous e-mail from Cpanel that httpd is failling and try to restart.
How can i do to check and verify that there a DDOS attack?
What step can i do to possibly minimize DDOS attack?
some sites on my server is inserted iframe code to its homepage index.php and index.html I found this topic is discussed on WHT for sometimes but no solution yet. I found a article help to solve this issue but i am lack of knowledge to understand the article.
Is it possible to use IP Security policies in Windows Server 2003 to help prevent types of DoS attacks? Today my server was attacked by a single attacker who merely connected and disconnected on open ports at an incredibly fast rate. This was enough to eat the cycles of the server processes effectively creating a DoS attack. I was hoping IPSec could help prevent this, but I'm open to use any other software as well.
I am getting a few hundred IIS 6.0 FTP login attempts a second on my windows 2003 x64 server.
We have a Sonicwall TZ180, a full IPS and Firewall in front of the server but I cannot determine a way to block these attacks. I simply have port 25 open to all ip addresses, as I do not know a range of valid ips.
Is there any way to prevent these attacks at the firewall/hardware level? I suspect not, because the firewall doesn’t know if a login attempt is valid or not.
I have enabled IPS on the firewall but doesn’t appear to be stopping these attacks. Is there any way to automatically ban ips that hit port 25 X number of times in a second?
I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,
i had installed anti ddos or firewall,but those are useless.His attacks are such great that The server and all the vps are down now. One told me that I should check the ips and receive ips. The attacker is so skillful .describe the best method to defeat him. Be sides the attacker use diffirenet ips in each attack,I block him by iptables but no use…. His attack occupy all the ram and I have to resetart the server… Now this time his attack lead to shutting all the vps down
My website is under ddos attack from some competitors. I don't know yet how big is the attack. The ips of the ddos attack come from all the world.
I have contacted a few hosting companies specialised in ddos proof hosting, unfortunatly the price is so expensive that i cannot afford it.
So i try to find another solution : my website is only aimed to the french people, so maybe is it possible to install a kind of firewall or proxy located before the server to block all the incoming IP adress not from france ? Do you know some websites who can do this and the price ?
I already try do deny the non-french ip in one htaccess file but the ddos attack saturate the server anyway.
I am seeing DDOs from past two days, I believe its, but I can't find out which type of ddos it is...Whenever I shutdown apache the load goes down, if I start apache the iowait time goes extremely high and after few minutes the server is not responsive...the server is dual cpu quard core...please help me in finding out wuts happening, the softlayer guy is looking into the issue, but I am not getting any good response
Yesterday my server suffered a DDoS attack - at least, I'm assuming that's what it was, as incoming traffic rose to 100mb/s for a period of about 20 minutes. The only solution was to shut the server down, then bring it back. Fortunately, the traffic did not return.
At the time, I couldn't even access the server as root. The datacenter has been unhelpful, telling me that they have no idea where the traffic was coming from. What can I do to find out what happened, ideally an IP (and what kind of data was being sent)? I'm running RedHat Enterprise Linux.
my server is dead from thursday night the site has gone offline well the backend works justwhen you go to a domain it just doesnt open ive run a few commands in ssh heres the results
i run netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n and i get this
We are getting more traffic to one of the servers. It seems like DDOS attack, but IPs are diferent. I want to find what IPs are connecting more connections. Are there any commnds? I want to block those IPs.
Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
I have been in online business for about 5 years, but only this morning found out what DDoS is. Shame on me.
Our site was attacked this morning and the host (shared hosting) has switched off the dns connection so our site is currently down along with email. We are a small firm and we are absolutely getting killed by this right now.
The tech support in this hosting company (icdsoft com) is absolutely phenomenal based on previous experiences and here is what they said throughout the day:
"Your site gets approximately 60 hits/second. Unfortunately there isn't much that can be done in such situation. We already blocked the most active IP addresses in our firewall, but this does not help, as the attack comes from many sources "
About an hour later they tried again and the following was said:
"Unfortunately we do not know how long this attack will last. At the moment there are more than 1100 requests/second towards your site."
about an hour after that the following was said:
"The attack is still going on. Currently, the incoming rate is 8MBit/sec. We will enable your site, and we will notify you when the attack is over."
My questions are the following and I will appreciate any advise as I am absolutely clueless about this:
1. What should I do at this point? Should I move the site to a dedicated server and if so, will this solve the DDOS problem?
2. Should I purchase anti DDoS package? They are extremely expensive it appears.
3. If I move to a new dedicated host, which one should i choose? we are a small site, with about 10,000 uniques per month and do not have massive budget so cost is a big factor.
4. How long will this current attack likely last? I know it's impossible to answer, but approximately how long do these things last and is it likely to repeat in the future if we leave things alone?
Any knowledgable advice on this matter will be greatly appreciated as we are hurting badly due to this and even 1 day loss of income for us is extremely serious and hurtful.
Im currently with poundhost i have some colo servers with them
they have gone down 3 times over the last week 2 DDOS attacks and 1 router/exchange issue
I called them up and they reckon they get 1 DDOS some weeks, and other weeks have none
However, when another server is getting a DDOS attack, i dont want my server to go down. I take it the network pipe is being flooded, and thats why websites stop responding.?
so i called rapid switch, they reckon if they get a DDOS attack, it just takes down the one server, and not everyones elses
I have a dedicated server running Debian and i am having some problems with Apache using a lot of CPU causing the load to go about 100.00. My load is usually 0.50 so this is not a bad coded script that is causing the problem.
I run netstat and got the following results ( my server IP has been replaced ):
The problem is probably those close_wait connections. I already have APF installed on my server ( althought it doesn't work well with Debian ) and only port 80 is open.
how can i stop those attacks? Besides manually blocking the ip, which is not the best way to handle this problem.
