Check Server For Dos Attack
May 17, 2009How can check server for dos/ddos/syn attack?
Because my server load is high, perfromance is low, but i dont have any high process.
How can check server for dos/ddos/syn attack?
Because my server load is high, perfromance is low, but i dont have any high process.
While working with different issues, I have seen that many clients complaining about ddos attack on their server. So, I am posting here some useful commands to check and prevent ddos attack.
First of all when you see that your site's or server speed is very slow even though there is not much load on your server, you can guess it might be ddos. Then run 'top' command and see which processes is more, if those are httpd then fire following command
which will show how many active connections your server is currently processing.
netstat -n | grep :80 | wc -l
netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems.If the second command is over 100 you are having trouble with a syn attack.
netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amounts of connections to a server.
use follwoing command to block a ip with iptables on server
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
service iptables restart
service iptables save
--------OR---------------
You can place ip's which you want to block in hosts.deny
vi /etc/hosts.deny
httpd: IP
write and quit
---------------------------
Then KILL all httpd connection and restarted httpd service by using following command
killall -KILL httpd
service httpd startssl
-----------------------------------
This are all the step to check and prevent ddos on your server.
in the last couple of days we really have problem accessing web service, while ftp, ssh, work fine. While we getting connection time out, the load on the server is really load around .2 and get numerous e-mail from Cpanel that httpd is failling and try to restart.
How can i do to check and verify that there a DDOS attack?
What step can i do to possibly minimize DDOS attack?
My server is currently underattack, I have been able to keep it up but after I ban 500 IPs, I get a lot of different IPs again.
Any idea or suggestion to do mass-ban to those attacking IPs?
tcp 0 0 xxx.xx.xxx.xxx:80 190.87.128.59:3965 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 82.115.52.10:2323 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 90.148.137.56:21094 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:57605 ...
I have one client who cannot see my server and all domains on it. I;ve checked if his IP is block or not and I didn't see his IP on the apf deny host file. How to you check IP if it can see my server? I just want to make sure before calling the ISP.
View 3 Replies View RelatedSomeone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
View 14 Replies View RelatedI went today to my apache error log, and noticed that those scum lowlifes hackers trying to hack my server every day for at least 100 times!!!
What a disaster!
Examples of urls they trying to use:
- http://usuarios.arnet.com.ar/larry123/safe.txt?
- http://uploaded.justfree.com/id.txt?
- http://nukedclx.info/php/base
Is there anything that can be done to prevent this mor*** from even trying to hack (except putting a bullet in his/their head)?
two of my website on the server was changed by the hackers.How did they do it?
View 7 Replies View Relatedi got botnet attack my web server...is there anything i can do to block thse attack? my host isnt help much?
View 4 Replies View Relatedhow to protect an linux dedicated server from bot attack. Im using linux server with cPanel, using CSF firewall + DOS Deflate.
View 5 Replies View Relatedis this DDOs attack : .....
View 5 Replies View RelatedI think I'm experiencing some type of alternative to a DDoS attack. My server is being killed by thousands of emails being sent to fake accounts on my server.
I'm not a server administrator, so please bear with me.
My load average is skyrocking to 800.xx at times. I look at "top" and see "exim" for one specific user on my server. I own all the websites on my server, by the way.
When I look at my email queue, I see thousands of emails coming in to accounts that don't exist for that specific user. Let's say the domain name is salcollaziano.com. Somebody is sending spam to various salcollaziano.com aliases that don't exist. Like webmaster -at- salcollaziano.com and suzy -at- salcollaziano.com.
How can I prevent these spam emails from having any interaction with my server? It's causing me a lot of downtime on all the sites I have running on that particular server.
Not sure if it's a valid threat, but I would like to do the best I can to identify one as early as possible.
Can someone maybe give me an idea of what to look for? They were not specific on there type of attack, but I was hoping that there was maybe a log file I could tail and keep an eye out for irregularities.
my server got phisihing attack with bankamerica/paypal etc. i wounder because we have tight firewall/security etc. but any way this is teribel. i have found ip when look in to /var/log/messages -
its looks like (?@85.201.19.xxx). is it used anonymos ftp? i found same ip used to log in to another ftp host as well.
My server (Xeon 3.0Ghz) went down for no reason yesterday and ever since it was rebooted (and I've rebooted a couple of times since then), pages load extremely slowly or just timeout. Server load is constantly hovering around 1 and top stats indicate that the server's resources are not under heavy load, which is contrary to the usual pattern during peak times.
I've checked netstat and I notice a lot of SYN_RECV. Could this be a DoS attack? If so, what steps do I take to stop it?
There use to be a thread on here but because of the wht hack, it didn't get saved...so now I can't go back to it.
It was a command in ssh that printed out a number of connections. Like 12,000 or something.
What is the best way to check the HDD on new Dedicated server?
I would like to see if there is a bad sectors, etc.
fsck? or ? what is the full command that would do the job the best.
OS is Centos.
I'm not sure where to ask this but probably this section is the closest. I'm sorry if I use the wrong section.
Anyway I was wondering about checking using a reverse ip address tool which is available for free on the internet.
It seems that anyone can just check other domains which share the same IP address on a server.
However, I have a question.
Is it possible for anyone to check other domains which have different and unique IP addresses (for each domain) BUT all reside on a same server?
(meaning the person who is searching this only checks using one IP address/domain name to find out other domain names that reside on the SAME server)
Is there a 'free tool' out there that is capable of checking this?
How can I check out server stability of the hosting company?
I mean hostingsource company, their servers seem nice for me and I'd like to know more of their reliability and scalability.
i have problem with ports in server
how may i check ports?
for example 37549,53377,17235 and ...
i want know this ports are AVAILABLE or no
How can I check uptime or how to check downtime on my server?My members told me that they can not login to my site and it shows: Page can not found or Sever not found.
View 14 Replies View Relatedi want to check in a batch if my client's domain changed name server or not. Are there are tools / script available for that?
View 5 Replies View RelatedI have two servers one from hostmysite and other one is from 15minute server, I would like to know which one is faster, I have a dedicated server from 15minuteserver, but sometime I get slow speed I am not really sure which one is faster.
test two Ips and let me know.
76.12.21.39
216.118.117.165
i have a dedicated server , some one else made the security for me, how could to be sure of its security? how could to be sure of all php functions contain risk are closed or disabled? how could to be sure of there are not any security gap?
way to understand and implement the steps.
One of my server hang w/o obvious reason. What is the checklist to adhere when troubleshooting? It is running on FreeBSD
View 5 Replies View RelatedOne of our customers has reporting not being able to access any sites hosted on our server. He is using a cable connection with a static IP number . He is able to access all other web sites on the Internet, he just can't access the ones hosted on our network.
Do you have any ideas on why this could be occuring, or if there is something on the server which could have blacklisted his static IP, preventing him access.
I recently purchased a new server. It is supposed to have a 250G SATA II HD.
However, I have my suspicion that it could be a SCSI HD (not that it's bad, but I just want to check).
Is there a SSH command that tells you the type of HD on your server?
I tried fdisk -| , but it doesn't really say whether it's a SATA2 or SCSI
my server is being ddosed and the network utilisation is at 40% of 1gpbs
i asked to softlayer to check and they said my programs/services is taking that much bandwidth
any1 can help me?
if my server is under dos attack wat can i do?
because the bandwidth used is about 50gb/hr
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
I have been getting ddossed for the last month, my host has tried many things on my server that are commonly suggested around here, however we have over 40 000 connections hitting the server from this attack and it keeps rising.
I am on LiteSpeed.
I also have NetScreen 50 firewall which helped for a little while, however the server still keeps going down.
I am spending $420 a month on my hosting for my dedicated server
Now it is costing me an extra $400 a month to have Netscreen firewall running which is a waste of money as it can not effectively keep the server running and i'm not sure if I can even effectively afford that much money a month, however I might need to spend a little more if need to just get the server running finally.
basically I need some options as to what I can do. I would like to stay with my host, they have been good to me, however if my options are better suited to changing then let me know. I just really need to get my server running great asap and to keep it running great when i'm away from the internet.
today i have DDos Attack in my server in port :80
what is the better way to secure my server from DDos Attack