Now I Can Stop DDos Attack After All
May 9, 2007
Before when they attack my site I can't stop them. Now at I can but I have to monator the server all the time and execute this program :
Code:
#!/bin/bash
#Collecting list of ip addresses connected to port 80
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 > /root/iplist
#Limit the no of connections
LIMIT=5;
for ip in `cat /root/iplist |awk '{print $2}'`;do
if [ `grep $ip /root/iplist | awk '{print $1}'` -gt $LIMIT ]
then
echo "5 connection from $ip... `grep $ip /root/iplist | awk '{print $1}'` number of connections... Blocking $ip";
#Blocking the ip ...
/etc/rc.d/init.d/iptables save > /dev/null;
CHECK_IF_LOCALIP=0;
/sbin/ifconfig | grep $ip > /dev/null;
if [ $? -ne $CHECK_IF_LOCALIP ]
then
{
FLAG=0;
grep $ip /etc/sysconfig/iptables | grep DROP > /dev/null;
if [ $? -ne $FLAG ]
then
iptables -I INPUT -s $ip -j DROP;
else
echo " Ipaddress $ip is already blocked ";
fi
}
else
echo " Sorry, the ip $ip cannot be blocked since this is a local ip of the server ";
fi
fi
done
It's block any connectin that has more than 5 connections.
My problem now that when I left my pc and when I come back my server can't response.
I used this to let it work every minute :
Code:
SHELL=/bin/sh
0-59/1 * * * * root /root/ddos/blockip5.sh >
and put it here /etc/cron.d/anti-ddos.cron
Is there any advice about it ? to let work all the time not every minute. like every 5 second.
I found that when I left my pc and come back to run this script I can't login to the server I have to reboot it then log again.
This message come from support :
In the past 12 Hours we have seen a maximum of #35 mbps and an average of 12 mbps of malicious traffic being sent to your server
I am using APF and also I use DDoS-Deflate version 0.6 and evasive mod.
Any more advice ? they keep attacking me for more than 1 Month 24 hours
View 3 Replies
ADVERTISEMENT
Jul 7, 2009
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
View 9 Replies
View Related
Mar 24, 2009
Server - Windows 2003, IIS, Windows Mail
I am undergoing heavy SMTP attack, if i accept all connections in RELAY setting of SMTP
If i grant access only to Server IP, then attack stops, but all emails send, start bouncing back to me, as relay failed.
View 6 Replies
View Related
Jan 10, 2007
Today my system which is hosting the site bepenfriends got compramised(win 2k3) and now LT tech guys are working on it to reload the system with a data save. I was not having a hardware firewall which caused this problem. But i had windows firewall, windows malinious software removal tool (defender i haven't installed). I have updated all patches of win2k3 whch was released till today.
Now after restore it will be great work to bring my website back with all those rewritten urls and the softwares and its licenses.
Now please help me out in below stuff.
How to stop further attack and further compramisation of server.
View 9 Replies
View Related
Feb 6, 2008
Recently, some of our Linux/cPanel servers got hacked (not rooted) by using the following code (method)
#!/usr/bin/perl
symlink ("/home/USER/config.php","/home/USER2/test.txt");
The hacker just execute the perl file , and then he called the "test.txt" file through internet explorer , and its done , he can read the file easily !
We tried to :
1- run php as CGI module.
2- run SUPHP module.
3- run php as apache module.
4- enable open_basedir and safe_mode.
But the hacker still can bypass the system!
the only solution is to disable /usr/bin/perl , chmoded it to 700 . but thats caused a broken cpanel!
as it requires it to be at 755 for proper operation, since it is used by customers as well when it suexec into the user when they log into cPanel. and so we cannot change it to that setting (700), since it breaks the entire system.
So is there any way to stop the "symlink" perl function?
any way to stop this attack method?
View 14 Replies
View Related
Apr 19, 2007
For 2 weeks I am under DDoS.
The type of DDoS is the one that comes from DC clients.
I have managed to mitigate the attack and to get everything working ok.
I do not like the solution I came up with for many reasons and I found that squid can be good on stopping bad requests like the one that DC clients send when the attack occurs.
I am kinda new to squid and I do not know all the settings.
I have configured It and everything works great when there is no DDoS.
But when the attacks starts , nothing works. Squid does not log anything in access_log and also, there is no load, just a lot of connections to squid.
Is there a limit for max concurrent connections in squid ?
Or the ideea of using squid as a reverse proxy without caching, just to stop bad requests is a bad one ? (I do not need snort-inline, I have some issues with it).
View 2 Replies
View Related
May 29, 2009
My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..
netstat -an | grep :80 | sort
and the result is this
tcp 0 1491 ::ffff:95.211.10.169:80 ::ffff:213.215.100.110:2263 LAST_ACK
tcp 0 1493 ::ffff:95.211.10.169:80 ::ffff:85.207.126.231:52694 LAST_ACK
tcp ....
View 14 Replies
View Related
Aug 4, 2009
I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,
Do you have any idea about this?
What should I do now?
View 8 Replies
View Related
Mar 19, 2008
Our server is in attack since 4 days. Http port busy all the time.
When I type :
netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5
It shows :
[root@ ~]# netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut
-d: -f1 | sort -n| uniq -c | sort -n | tail -5
2 65.19.130.24
2 83.149.120.9
4 204.15.73.243
35 222.254.103.142
5128
[root@ ~]#
I wonder the hidden IP of 5128 ??? How to know it?
View 8 Replies
View Related
Jun 21, 2007
The server getting slow with high I/O diskwait then normal, although load is not high.
here is the output of: netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n .................
View 6 Replies
View Related
Apr 12, 2009
i had installed anti ddos or firewall,but those are useless.His attacks are such great that The server and all the vps are down now. One told me that I should check the ips and receive ips. The attacker is so skillful .describe the best method to defeat him. Be sides the attacker use diffirenet ips in each attack,I block him by iptables but no use…. His attack occupy all the ram and I have to resetart the server… Now this time his attack lead to shutting all the vps down
View 10 Replies
View Related
Jan 6, 2009
My website is under ddos attack from some competitors. I don't know yet how big is the attack. The ips of the ddos attack come from all the world.
I have contacted a few hosting companies specialised in ddos proof hosting, unfortunatly the price is so expensive that i cannot afford it.
So i try to find another solution : my website is only aimed to the french people, so maybe is it possible to install a kind of firewall or proxy located before the server to block all the incoming IP adress not from france ? Do you know some websites who can do this and the price ?
I already try do deny the non-french ip in one htaccess file but the ddos attack saturate the server anyway.
View 11 Replies
View Related
Oct 5, 2007
I am seeing DDOs from past two days, I believe its, but I can't find out which type of ddos it is...Whenever I shutdown apache the load goes down, if I start apache the iowait time goes extremely high and after few minutes the server is not responsive...the server is dual cpu quard core...please help me in finding out wuts happening, the softlayer guy is looking into the issue, but I am not getting any good response
I am attaching someoutputs
View 5 Replies
View Related
Apr 16, 2007
what is ddos attack? and also tell me how avoid it
View 1 Replies
View Related
Feb 4, 2007
Is there is any easy way to check ip's of attackers so that i can block these ip's ? And how can we know that our server is under DDOS attack?
View 9 Replies
View Related
Jul 31, 2007
Yesterday my server suffered a DDoS attack - at least, I'm assuming that's what it was, as incoming traffic rose to 100mb/s for a period of about 20 minutes. The only solution was to shut the server down, then bring it back. Fortunately, the traffic did not return.
At the time, I couldn't even access the server as root. The datacenter has been unhelpful, telling me that they have no idea where the traffic was coming from. What can I do to find out what happened, ideally an IP (and what kind of data was being sent)? I'm running RedHat Enterprise Linux.
View 4 Replies
View Related
Jun 23, 2007
my server is dead from thursday night the site has gone offline well the backend works justwhen you go to a domain it just doesnt open ive run a few commands in ssh heres the results
i run netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n and i get this
1 127.0.0.1
1 161.73.47.29
1 172.207.11.104
1 172.213.230.64
1 189.162.62.188
1 205.170.14.231
1 62.31.34.193
1 66.183.25.95
1 68.95.129.213
1 70.127.239.110
1 70.156.248.105
1 70.239.23.26
1 71.145.144.82
1 71.176.172.112
1 72.12.175.0
1 72.16.16.81
1 72.179.136.204
1 72.229.122.44
1 74.12.147.227
1 74.38.138.59
1 74.75.91.211
1 76.174.236.193
1 77.98.28.210
1 82.17.236.239
1 84.102.105.171
1 84.13.141.37
1 86.153.107.205
1 86.21.4.170
1 87.192.88.25
1 87.254.65.147
1 88.88.121.139
1 89.122.152.251
2 203.199.163.35
2 206.75.58.188
2 24.162.0.146
2 83.105.66.179
2 85.16.175.211
2 85.30.137.171
4 152.78.254.85
5 70.47.36.6
25 85.17.170.205
37 0.0.0.0
138
i ran netstat -an | grep -c SYN and i get
20
well it varies sometimes higher sometimes lower
i ran netstat -ntp and get
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:86.153.107.:4185 CLOSE_WAIT -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:77.98.28.21:3278 ESTABLISHED-
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:38766 FIN_WAIT1 -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:71.197.174.:2104 ESTABLISHED-
tcp6 70 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39522 ESTABLISHED-
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:38754 FIN_WAIT1 -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:76.170.60.:61830 CLOSE_WAIT -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:74.12.147.:64785 FIN_WAIT2 -
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:76.170.60.:61825 LAST_ACK -
tcp6 526 0 ::ffff:85.17.170.205:80 ::ffff:203.199.16:20499 ESTABLISHED-
tcp6 448 0 ::ffff:85.17.170.205:80 ::ffff:82.31.72.23:3554 ESTABLISHED-
tcp6 66 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39504 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:71.130.170.:4683 ESTABLISHED-
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:88.88.121.:63217 LAST_ACK -
tcp6 264 0 ::ffff:85.17.170.205:80 ::ffff:77.98.28.21:3316 ESTABLISHED-
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:38731 FIN_WAIT1 -
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:172.203.4.1:1573 FIN_WAIT1 -
tcp6 265 0 ::ffff:85.17.170.205:80 ::ffff:77.98.28.21:3300 CLOSE_WAIT -
tcp6 528 0 ::ffff:85.17.170.205:80 ::ffff:206.75.58.1:1529 CLOSE_WAIT -
tcp6 329 0 ::ffff:85.17.170.205:80 ::ffff:152.78.254:24785 CLOSE_WAIT -
tcp6 69 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52294 CLOSE_WAIT -
tcp6 481 0 ::ffff:85.17.170.205:80 ::ffff:172.207.105:3623 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:24.98.106.5:1793 TIME_WAIT -
tcp6 73 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52296 CLOSE_WAIT -
tcp6 481 0 ::ffff:85.17.170.205:80 ::ffff:172.207.105:3625 ESTABLISHED-
tcp6 280 0 ::ffff:85.17.170.205:80 ::ffff:70.156.248:50993 CLOSE_WAIT -
tcp6 256 0 ::ffff:85.17.170.205:80 ::ffff:74.232.21.:50973 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52304 ESTABLISHED-
tcp6 72 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52305 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52306 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52307 ESTABLISHED-
tcp6 446 0 ::ffff:85.17.170.205:80 ::ffff:89.122.152.:3387 CLOSE_WAIT -
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52308 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52309 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52310 ESTABLISHED-
tcp6 447 0 ::ffff:85.17.170.205:80 ::ffff:74.103.15.:50618 CLOSE_WAIT -
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52311 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52312 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52313 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52314 ESTABLISHED-
tcp6 72 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52315 ESTABLISHED-
tcp6 66 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52316 ESTABLISHED-
tcp6 712 0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:41217 CLOSE_WAIT -
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:52317 ESTABLISHED-
tcp6 712 0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:45571 CLOSE_WAIT -
tcp6 279 0 ::ffff:85.17.170.205:80 ::ffff:82.45.205.6:2251 ESTABLISHED-
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:38243 FIN_WAIT1 -
tcp6 540 0 ::ffff:85.17.170.205:80 ::ffff:82.19.190.2:3929 ESTABLISHED-
tcp6 493 0 ::ffff:85.17.170.205:80 ::ffff:86.21.4.170:4267 ESTABLISHED-
tcp6 712 0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:57914 CLOSE_WAIT -
tcp6 67 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39453 CLOSE_WAIT -
tcp6 632 0 ::ffff:85.17.170.205:80 ::ffff:75.46.61.3:61728 ESTABLISHED-
tcp6 332 0 ::ffff:85.17.170.205:80 ::ffff:84.108.80.:49283 ESTABLISHED-
tcp6 444 0 ::ffff:85.17.170.205:80 ::ffff:67.163.63.:39467 ESTABLISHED-
tcp6 498 0 ::ffff:85.17.170.205:80 ::ffff:85.30.137.1:2851 ESTABLISHED-
tcp6 444 0 ::ffff:85.17.170.205:80 ::ffff:67.163.63.:39469 ESTABLISHED-
tcp6 508 0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15418 CLOSE_WAIT -
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47216 ESTABLISHED-
tcp6 508 0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15419 CLOSE_WAIT -
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47217 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50089 CLOSE_WAIT -
tcp6 508 0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15416 CLOSE_WAIT -
tcp6 72 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47218 ESTABLISHED-
tcp6 68 0 ::ffff:85.17.170.205:80 ::ffff:85.17.170.:47219 ESTABLISHED-
tcp6 1 0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50091 CLOSE_WAIT -
tcp6 507 0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15420 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:82.32.18.24:2244 ESTABLISHED-
tcp6 409 0 ::ffff:85.17.170.205:80 ::ffff:70.239.23.:26082 CLOSE_WAIT -
tcp6 329 0 ::ffff:85.17.170.205:80 ::ffff:152.78.254:24810 CLOSE_WAIT -
tcp6 508 0 ::ffff:85.17.170.205:80 ::ffff:88.149.100:15415 CLOSE_WAIT -
tcp6 715 0 ::ffff:85.17.170.205:80 ::ffff:195.93.20.:42065 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50087 CLOSE_WAIT -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:85.30.137.1:2764 ESTABLISHED-
tcp6 505 0 ::ffff:85.17.170.205:80 ::ffff:194.247.231:2269 ESTABLISHED-
tcp6 351 0 ::ffff:85.17.170.205:80 ::ffff:76.174.236.:1645 ESTABLISHED-
tcp6 66 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39649 ESTABLISHED-
tcp6 349 0 ::ffff:85.17.170.205:80 ::ffff:76.174.236.:1646 ESTABLISHED-
tcp6 272 0 ::ffff:85.17.170.205:80 ::ffff:68.95.129.2:4578 CLOSE_WAIT -
tcp6 255 0 ::ffff:85.17.170.205:80 ::ffff:66.249.70.:63667 ESTABLISHED-
tcp6 322 0 ::ffff:85.17.170.205:80 ::ffff:71.99.33.1:50724 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39385 ESTABLISHED-
tcp6 493 0 ::ffff:85.17.170.205:80 ::ffff:172.209.126:4691 ESTABLISHED-
tcp6 506 0 ::ffff:85.17.170.205:80 ::ffff:66.183.25.9:2614 CLOSE_WAIT -
tcp6 444 0 ::ffff:85.17.170.205:80 ::ffff:67.163.63.:39415 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:68.10.147.6:3428 CLOSE_WAIT -
tcp6 487 0 ::ffff:85.17.170.205:80 ::ffff:189.162.62.:1262 CLOSE_WAIT -
tcp6 537 0 ::ffff:85.17.170.205:80 ::ffff:76.195.5.18:4785 ESTABLISHED-
tcp6 270 0 ::ffff:85.17.170.205:80 ::ffff:209.242.13:61937 ESTABLISHED-
tcp6 468 0 ::ffff:85.17.170.205:80 ::ffff:86.4.211.20:4516 CLOSE_WAIT -
tcp6 715 0 ::ffff:85.17.170.205:80 ::ffff:195.93.20.:37092 ESTABLISHED-
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:69.181.177:31392 LAST_ACK -
tcp6 268 0 ::ffff:85.17.170.205:80 ::ffff:74.38.138.:61485 ESTABLISHED-
tcp6 712 0 ::ffff:85.17.170.205:80 ::ffff:195.93.21.:52368 CLOSE_WAIT -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39350 ESTABLISHED-
tcp6 267 0 ::ffff:85.17.170.205:80 ::ffff:87.80.122.1:3587 ESTABLISHED-
tcp6 391 0 ::ffff:85.17.170.205:80 ::ffff:72.83.170.:50185 CLOSE_WAIT -
tcp6 411 0 ::ffff:85.17.170.205:80 ::ffff:81.96.122.1:1457 CLOSE_WAIT -
tcp6 66 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39596 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:74.12.147.:64733 TIME_WAIT -
tcp6 0 1 ::ffff:85.17.170.205:80 ::ffff:88.88.121.:63243 LAST_ACK -
tcp6 339 0 ::ffff:85.17.170.205:80 ::ffff:82.17.236.:50364 CLOSE_WAIT -
tcp6 0 15572 ::ffff:85.17.170.205:22 ::ffff:81.96.122.1:1209 ESTABLISHED-
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:12.201.30.3:3928 CLOSE_WAIT -
tcp6 333 0 ::ffff:85.17.170.205:80 ::ffff:203.199.16:20205 CLOSE_WAIT -
tcp6 0 0 ::ffff:85.17.170.205:80 ::ffff:72.153.122:50891 ESTABLISHED-
tcp6 624 0 ::ffff:85.17.170.205:80 ::ffff:156.34.51.:60779 ESTABLISHED-
tcp6 278 0 ::ffff:85.17.170.205:80 ::ffff:68.227.184:53069 CLOSE_WAIT -
tcp6 716 0 ::ffff:85.17.170.205:80 ::ffff:195.93.20.:54730 CLOSE_WAIT -
tcp6 460 0 ::ffff:85.17.170.205:80 ::ffff:88.88.121.:63284 ESTABLISHED-
tcp6 896 0 ::ffff:85.17.170.205:80 ::ffff:72.95.3.16:50553 ESTABLISHED-
tcp6 66 0 ::ffff:85.17.170.205:80 ::ffff:70.47.36.6:39564 ESTABLISHED-
View 14 Replies
View Related
Jan 2, 2007
We are getting more traffic to one of the servers. It seems like DDOS attack, but IPs are diferent. I want to find what IPs are connecting more connections. Are there any commnds? I want to block those IPs.
netstat -rn | grep :80 |wc -l
502
View 14 Replies
View Related
Feb 7, 2007
My hosting account has been suspended because of a DDos Attack. What is that
View 8 Replies
View Related
Jun 22, 2007
I've seen many posts in the past few months about people under attack who were not able to handle things themselves, and who made statements along the lines of DDoS mitigation services that one has to pay for are too expensive.
First, I will state that my company does offer those services, and they are not cheap. We offer DDoS mitigation services for hosting/colocation/internet providers who can then resell it to their customers. I state this so that you know that I do have a bias here, though everything I state below is fact.
1. There are free open source tools that can help. Apache modules, IPTables scripts that extract info from netstat or syslog, and I know one guy who is puting together a kernel module. Most of these can stop small scale attacks, and are quite interesting to set up - if you like the technical end of things.
2. Most botnets have more than enough zombies to overpower #1 above.
3. If you have a 100 MBPS pipe to the internet, it doesn't take 100 MBPS of traffic to saturate the pipe and take it down. Enough small packets can overload a router's ability to process, and 10-20 MBPS of traffic can take out the router.
4. There may be a few ways to deal with this, though the best in my experience has been to place an intrusion prevention system (IPS) in front of the router. I have a number of friends in the industry who work at companies where malware is analyzed, and where they work with law enforcement to try and identify the attacking parties. This can be a lengthy process and will not often get a site / router back up quickly, though can be very nice in the long term.
5. Not all IPS are equal. I'm not going to name brands, but I've seen one $50,000 box that had gigabit links die after about 80 MBPS of DDoS traffic. If you're looking into IPS, make sure you compare what they actually do, and talk to people who have implemented them.
6. The majority of the IPS that we manage for our customers and that we implement when we have a new customer under attack are from TopLayer. There are three reasons for this; Their IPS actually works the way you would expect it to (the gigabit model can handle a gigabit of DDoS traffic); If there is something that the IPS can't block, we call their dev team who will work with us to figure out a way to block it; And they give us the best deals.
7. Implementing an IPS is not cheap. The suggested retail price for a gigabit level IPS is about $80,000 USD. Consider that a hosting/colo/service provider who has a two gigabit pipe will need two of these.
8. Managing an IPS takes a special skill set. The people with this skill set are usually expensive to hire as employees, and while I've known a few service providers where the chief technical guy (often a partner in the company) has been the one to manage the IPS, this guy has a lot of other important things to do, and doesn't usually want to be woken up at 2am every few days when there's a significant alert from the IPS.
9. Contracting out IPS management and monitoring can run anywhere between $1,000 and $2,000 per month depending on service options, response times, and contract length. This will usually include remote monitoring of the IPS from a security operations center (SOC), and a lot of escalation options on how to deal with attacks.
10. If an attack is using mechanisms that can get past IPS protections (I will not list them here to give people ideas on how to get around IPS protections, though if anyone is in the field and would like to talk about this I'd be more than happy to do so), then there will need to be escalation options at additional fees from other companies who specialize in that particular area. If subscribing to managed services such as #9 above, then these options should be listed with pricing knowledge available to the customer beforehand. In fact, the company offering the managed IPS service should manage the interface between their customer and the escalation company (we certainly do, and that's one of the things that our customers have been very happy about).
11. Considering #7 through #10 above; the cost of buying/leasing an IPS, managing the IPS and/or paying service fees, and escalating technical work in the event that there is something outside the scope of what can be mitigated using the standard tools, it is more than reasonable for a service provider to charge a significant amount of money to their customers for protection readiness, attack mitigation, and emergency setup fees in the event that there is a situation where a customer is being attacked, needs the service immediately, and has not been paying for protection.
12. A service provider will turn off (null route) their customer when the impact of an attack affects the rest of their customer base. If an attack takes out a full 2 GBPS pipe that they have for all their customers, and null routing one customer is the way to keep the other 1,000 customers up, then that one customer will be null routed. It is a sound business decision. In cases like this, there are options for how to deal with that customer, and that customer will have to decide if they are willing / able to pay for said options.
View 8 Replies
View Related
Jul 4, 2006
Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
View 14 Replies
View Related
Aug 31, 2009
I have been in online business for about 5 years, but only this morning found out what DDoS is. Shame on me.
Our site was attacked this morning and the host (shared hosting) has switched off the dns connection so our site is currently down along with email. We are a small firm and we are absolutely getting killed by this right now.
The tech support in this hosting company (icdsoft com) is absolutely phenomenal based on previous experiences and here is what they said throughout the day:
"Your site gets approximately 60 hits/second. Unfortunately there isn't much that can be done in such situation. We already blocked the most active IP addresses in our firewall, but this does not help, as the attack comes from many sources "
About an hour later they tried again and the following was said:
"Unfortunately we do not know how long this attack will last. At the moment there are more than 1100 requests/second towards your site."
about an hour after that the following was said:
"The attack is still going on. Currently, the incoming rate is 8MBit/sec. We will enable your site, and we will notify you when the attack is over."
My questions are the following and I will appreciate any advise as I am absolutely clueless about this:
1. What should I do at this point? Should I move the site to a dedicated server and if so, will this solve the DDOS problem?
2. Should I purchase anti DDoS package? They are extremely expensive it appears.
3. If I move to a new dedicated host, which one should i choose? we are a small site, with about 10,000 uniques per month and do not have massive budget so cost is a big factor.
4. How long will this current attack likely last? I know it's impossible to answer, but approximately how long do these things last and is it likely to repeat in the future if we leave things alone?
Any knowledgable advice on this matter will be greatly appreciated as we are hurting badly due to this and even 1 day loss of income for us is extremely serious and hurtful.
View 14 Replies
View Related
May 12, 2009
Im currently with poundhost
i have some colo servers with them
they have gone down 3 times over the last week
2 DDOS attacks and 1 router/exchange issue
I called them up and they reckon they get 1 DDOS some weeks, and other weeks have none
However, when another server is getting a DDOS attack, i dont want my server to go down.
I take it the network pipe is being flooded, and thats why websites stop responding.?
so i called rapid switch, they reckon if they get a DDOS attack, it just takes down the one server, and not everyones elses
View 14 Replies
View Related
May 24, 2009
i have been under DDoS attacks, and what it does is it will have different servers wget
a certain file so it's all pretty much with HTTP.
for example: i had 10000 wget site.com/file.rar from ip x.x.x.x
and then same wget from ip y.y.y.y.
now question is how could i block this?
is it a way on apache2 to limit Downloads per IP (example 1 gb /IP)?
View 12 Replies
View Related
Nov 6, 2009
I have a dedicated server running Debian and i am having some problems with Apache using a lot of CPU causing the load to go about 100.00. My load is usually 0.50 so this is not a bad coded script that is causing the problem.
I run netstat and got the following results ( my server IP has been replaced ):
Code:
# netstat -ntu
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 66.66.66.66:80 83.149.104.60:46866 SYN_RECV
tcp 0 0 66.66.66.66:80 216.176.179.82:33062 SYN_RECV
tcp 239 0 66.66.66.66:80 216.176.179.82:49383 CLOSE_WAIT
tcp 228 0 66.66.66.66:80 216.176.179.82:48866 CLOSE_WAIT
tcp 228 0 66.66.66.66:80 216.176.179.82:49385 CLOSE_WAIT
tcp 228 0 66.66.66.66:80 78.159.196.25:33786 CLOSE_WAIT
tcp 229 0 66.66.66.66:80 216.176.179.82:49912 CLOSE_WAIT
tcp 845 0 66.66.66.66:80 200.140.141.66:47575 CLOSE_WAIT
tcp 239 0 66.66.66.66:80 216.176.179.82:48835 CLOSE_WAIT
tcp 229 0 66.66.66.66:80 69.22.166.25:33838 CLOSE_WAIT
tcp 239 0 66.66.66.66:80 69.22.166.25:34092 CLOSE_WAIT
tcp 238 0 66.66.66.66:80 216.176.179.82:49056 CLOSE_WAIT
tcp 239 0 66.66.66.66:80 85.234.152.91:49110 CLOSE_WAIT
tcp 229 0 66.66.66.66:80 69.22.166.25:60500 CLOSE_WAIT
tcp 228 0 66.66.66.66:80 216.176.179.82:48575 CLOSE_WAIT
tcp 238 0 66.66.66.66:80 85.234.152.91:49346 CLOSE_WAIT
tcp 229 0 66.66.66.66:80 216.176.179.82:49337 CLOSE_WAIT
tcp 228 0 66.66.66.66:80 69.22.166.25:34173 CLOSE_WAIT
tcp 229 0 66.66.66.66:80 78.159.196.25:33426 CLOSE_WAIT
tcp 239 0 66.66.66.66:80 69.22.166.25:34931 CLOSE_WAIT
tcp 239 0 66.66.66.66:80 78.159.196.25:51062 CLOSE_WAIT
The problem is probably those close_wait connections. I already have APF installed on my server ( althought it doesn't work well with Debian ) and only port 80 is open.
how can i stop those attacks? Besides manually blocking the ip, which is not the best way to handle this problem.
View 13 Replies
View Related
May 19, 2009
is there any proved method to determine what kind of attack you are under? Our server has been under attack for more than a day now but so far we have not been able to find out what kind of attack it is exactly. The server maintence company we are using says it's a DDoS attack but they don't say how they found this out. Also, they are not telling us what kind of DDoS attack it is.
View 14 Replies
View Related
Nov 16, 2008
Ddos attack
This week some hackers attack my site with ddos attack and pc zombies...
i have installed and configured fail2ban but it has yielded no results
the server surchauffe and be DOWN always...
View 13 Replies
View Related
Aug 4, 2008
My site was recently under a DDoS attack and was down for a few days, the attack came from Russia i believe.
The people who did it asked for $800, but of course i didnt pay. My hosting company did the best they could in order to stop the attack but it still lasted a few days and badly hurt my rankings.
I moved my site to a dedicated server, but i dont know what kind of software/hardware i need to install on it in order to prevent more future attacks, the hosting company suggested a few things but i dont know if they are just trying to get more money out of me.
View 3 Replies
View Related
Sep 3, 2008
I hope liquidweb can do something about this. This is the first time Im getting DDOS. Its been almost 1hour & counting....hopefully this does not last too long.
Is there anything they can do proactively to counter this attack. I have a hardware firewall with them also. I was told around 800Mbps of inbound traffic.
"This ticket is to notify you that it was necessary for us to null route
69.16.xxx.xx due to a very large inbound DDoS attack. The null route was
required in order to keep our network stable and to limit the affect to our
other customers. We are actively monitoring the situation, and will remove the
null route as soon as the attack has subsided enough.
View 7 Replies
View Related
Dec 26, 2008
This is the second time I have been DDoS Attacked and it is losing my customers and my reputation. I personally think it is a rival company trying to put me out of business. So to prevent further attacks I need so protection. Is there some kind of software based protection or is it only hardware?
View 6 Replies
View Related
Feb 2, 2008
is this DDOs attack : .....
View 5 Replies
View Related