I'm developing a self-made solution to mitigate DDoS attacks, using tcpdump.. We received a DDoS last Sunday and it worked perfectly, we could rapidly identify the attack sources and ask our carrier to block them.
My idea is to monitor common connections from one IP to another, and order them by the number of connections. When there are 50+ connections (same ip, same port TO another ip, another port) this means we are probably under attack.
I was wondering if my algorythm is good enough?
Command used: tcpdump -n -c 200 | grep 2 | awk '{printf ("%s -> %s
"),$3,$5}' | sort | uniq -c | sort -n -r
BUT... My doubt is that DEST port is always 80, 22, 21, 25, etc... But SOURCE port is variable!
I see everytime connections like:
208.X.X.X:24578 -> 70.Y.Y.Y:80
And also, sometimes a same IP place various connections like:
208.X.X.X:24578 -> 70.Y.Y.Y:80
208.X.X.X:38731 -> 70.Y.Y.Y:80
208.X.X.X:14598 -> 70.Y.Y.Y:80
208.X.X.X:64578 -> 70.Y.Y.Y:80
... and my script doesn't count them as 4 connections, just one for each line like that...
Is there any DDoS tool I can use to test this mitigation algorythm?
Is there any security group that can help me out, simulating a DDoS or even helping me with my script? (I can pay for it)
Example of my report, generated by my script:
No. connections | Source IP | Dest IP
8 201.9.126.9.27005 -> 200.169.XXX.160.27015:
6 200.169.XXX.130.http -> 189.55.119.177.astromed-main:
6 189.55.119.177.iwlistener -> 200.169.XXX.130.http:
5 200.169.XXX.175.pop3 -> 201.67.151.51.14137:
4 201.95.49.29.58559 -> 200.169.XXX.140.27015:
4 201.52.122.217.27005 -> 200.169.XXX.140.27060:
4 201.51.100.118.essp -> 200.169.XXX.135.63392:
4 201.47.13.35.50311 -> 200.169.XXX.140.27015:
One of my sites is currently the target of a DDoS attack. It seems that it is targeted toward the domain as opposed to the ip address since changing the ip only resulted in an attack on the new ip within a couple of hours. Can anyone suggest anything I can do about this? I have already contacted my server company and the only thing they have done is nulled the addresses that are being attacked. However, this isn't really much of an option since this means my site doesn't work.
I would open up a topic here in case someone has done this before and might have some good tips and/or links. Anyway what I plan to do is examine the packets of this DDoS and see if they have a common header and block it.
Problem is that the only way to stop this command is pressing CTRL + C, and i just need some option to specify how much time the tcpdump will be running, i need it running for 1 minute for example, and then it should automatically stop.
it's come under my attention that dragonara.net has been ddosing me today since morning from the ip: 194.8.75.229
What's so ironic about it is that the ip is from a UK DDOS protection site so i'm expecting some email with their services in the next hour or so. Stay clear of them they are fakes and e-terrorists.
I've been getting VERY high packet loss to my VPS for around 10-15 minute periods over the past month or so (No patterns or specific times, totally random when it occurs) with my provider's Parallels Business Automation control panel reporting "Server is down" along with the VZCP on the node being inaccessible. I opened a ticket with my provider and they told me that they experienced a DDoS attack on the node my VPS was hosted on.
However, I get the feeling that they are giving me some crap to stop my pestering them about the packet loss all the time (I mainly use my VPS for providing VoIP services which use UDP so the packet loss is devastating).
Anyone got any views on this?
Also they keep offering to move me to a diffrent node but they say they can only do that by giving me a new IP address and I would have to backup all the data and restore it manually, myself. Any views on this as well?
I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.
we had a bad ddos to on of the sites we were hosting, the ip of the ddos was blocked in apf and iptables, but for some reason it still got through we had to have it blocked in the router, we installed CSF into our server hoping for a better firewall does anybody know why apf could not hold back the ip im open to suggestions,
I have got pretty big problems with my VPS, some of my sites getting DDoS'd a log. I have no idea why and who DDoSing them
I have csf, apf and DDoS Delfate installed but it seems they can't take those attacks down. I know for mod_evasive but it works only on small attacks, I getting pretty strong attacks
I need some way to configure csf better, what I need to edit in /etc/csf.conf to block IPs if the same IP trying to connect to server more that 10 times. I need everything what I could edit for csf to block IPs faster
About DDoS Deflate, he is configured to works with apf, can I configure it to works with csf and how? How to configure DDoS Deflate better, to block IPs faster
Also, another problem with csf is that when I restart csf(service csf restart) he unblock all blocked IPs and I have to block them again
How to see blocked IPs by iptables?
I running lighttpd at the moment but I thinking to change it with Litespeed(free edition), what do you think about it?
I hope I will get some help here. Aslo,would be interesting to hear how do you guys protecting your servers from DDoS(if you getting DDoSed
we have a 100mbut connection and with a normal traffic we use about 40-50mbit but from friday seem that we are under attack this is the stats from the fastethernet
inbound 20427 ucast pkts/s
outbound 5547.5 ucast pkts/s
inbound 85793.9 Kbit/s
outbound 8211.98 Kbit/s
we have reach also for 4 hours 100mbit and all the server was offline, we have contact the datacenter and they say that not is a ddos attack because the traffic come fom our server and not from outside the net, so look as we have a hacked server that is making all this traffic, how can w found the problem? we have about 130 server on this connection
Hey guys If there was a way to have the ips of the dedi change constantly would this help prevent ddos attacks or would there be no difference if the domain was being attacked.
I have a problem with a customer. For the last 48 hours he has been receiving a massive DDoS at his server. I tried blocking the darn IPs but they keep coming and with several hundreds of connections each:
Apache has over 14000 connections. I tried using mod_evasive but didn't do anything and the server has been out without httpd for hours now. Any advices? This is a Hsphere server (I hate it personally) with 4GB RAM and a dual optero 246. I have the mexclients setting at 550.
I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,
A user joined our live chat and said if we didn't cancel a domain on our server, he will send us a DDOS attack, and he did so and also did this morning.
Is there anything I can do to prevent this or possibly punish him?
If I have a server with a a gb /second port so no one can DDOS me ?
or if the hacker have a servers with a gb/ port he can destroy any thing ?
second question
sometimes people hjave ip tables to filter all the packets to the server these people some times go down for ddosing too WHY ? why the IP tables cant filter the packets of this type of DDOSING?
My server is getting ddossed everyday, all are at the same time -> 4 am since tuesday. Cacti is showing 60~70mbit on that time.
Server 'crashed' on thursday (nearly 70mbit), it got back up but the ips (4 out of 5) were not working. Couldnt ping it. So I gave it a reboot and it worked again.
I used to get alot of Brute Force attacks, after I changed port and not allow root login etc etc on Monday, I dont get any attacks anymore ...
i had installed anti ddos or firewall,but those are useless.His attacks are such great that The server and all the vps are down now. One told me that I should check the ips and receive ips. The attacker is so skillful .describe the best method to defeat him. Be sides the attacker use diffirenet ips in each attack,I block him by iptables but no use…. His attack occupy all the ram and I have to resetart the server… Now this time his attack lead to shutting all the vps down
My website is under ddos attack from some competitors. I don't know yet how big is the attack. The ips of the ddos attack come from all the world.
I have contacted a few hosting companies specialised in ddos proof hosting, unfortunatly the price is so expensive that i cannot afford it.
So i try to find another solution : my website is only aimed to the french people, so maybe is it possible to install a kind of firewall or proxy located before the server to block all the incoming IP adress not from france ? Do you know some websites who can do this and the price ?
I already try do deny the non-french ip in one htaccess file but the ddos attack saturate the server anyway.
i'am looking for a software based ddos protection,some one know something for try to mitigate a ddos or help to get the server rock a solid?And i need to know too where i change the DNS(vhost) of my DEDICATED server.
so a guy I know runs a site, it's being hit very hard with a DDoS attack. He's spending about 500 /month to keep his site online. He's using ServerTech, but for the last few days, it's been offline and they have been non-responsive for the most part. I'm guessing they just don't know what to do.
Do you guys have any recommendations for any DDoS protected hosting? He doesn't really want to pay more, if he doesn't have to.
Iweb does not care if their client using their network to attack others.
What happen is, 1 of their clients, using his website to launch iframe/xhrhttprequest to my website. In the last 48 hours i have sent 4 emails to Iweb's abuse department but received no response at all and the attacks still going on. I included the log files, a screen record video showing the site is submitting request to my site.
I also contracted live chat and they told me they will make sure this problem resolved in 18 hrs but i did not received any response or what so ever.
So what could i do to make that website to stop ddosing?
