A couple of days ago I was having load issues and and my host looked at my issue and added apf 0.9.6 rev2 with ddos deflate, and the load has gone down. I have a question though, when APF_BAN=1 and ban period is minutes BAN_PERIOD=1800 why does my deny.hosts have 2 day old bans?
View 2 Replies
i opened up my email only to get spamming with over 600 email's from my server. I dont think my server is being DDOS'd but this is strange. And there seems to be a bug.. its saying BANNED NUMBER of Number and not, "ip here with X numbers f connections: The emails consist of:
Quote:
Banned the following ip addresses on Fri Oct 23 14:35:01 CDT 2009
250 with 250 connections
Quote:
Banned the following ip addresses on Fri Oct 23 12:58:01 CDT 2009
363 with 363 connections
Quote:
Banned the following ip addresses on Fri Oct 23 12:38:01 CDT 2009
253 with 253 connections
Quote:
Banned the following ip addresses on Fri Oct 23 09:12:01 CDT 2009
162 with 162 connections
Anyone else had this problem before? It seems my server is trying to ban itself since 162 is what i believe to be my server ip with that amount of connections. It started @ 9am and still going on now. I checked my CSF log and its showing my server is trying to PING some outside ip address @ 224.0.0.251
Just wondering if anyone is running both of these applications. Am I wrong in thinking that running them both would be redundant?
View 11 Replies View RelatedI'm having a problem with mails on my server. I configured csf and ddos deflate to send a mail to "root" when some ip is blocked. I made .forward in /root dir with my mail but I still don't recieve an email when an ip is blocked by csf or ddos deflate
P.S Mails with webmail clients are working fine
it seems people tell Dos Deflate is the best basic antiddos script and tons of webhosts use it.
I think its ratter old and it doesnt work for anything these days. Why do hosts still run it? And why isnt there a better alternative?
I used Deflate some years ago and I got problems. And tried then after some years again and nothing changed, the same basic old script which counts connections and ban IPs.
The think with Deflate is that if you have a high limit, lets say ban with 150 connections per IPs, its absolutely worthless for attacks, since you are letting already 150 connections per IP.
And if you lower it at least me got with tons of problems banning real visitors. Even over 150 I had complaints about real visitors on a server telling the server blocks him. Dont ask me how someone has 150 connections to a servers but I got complaints from multiples people over the world the 1 month i had it running over a 2 years ago.
I also see a really big problem with it. Allot of ISP share IPs between users. So its really possible you get 200 connections from the same IP and they are different users. Banning an IP based on the connections you can probably shutdown a full IPS and their visitors. I wish there was a better solution but using a high value like 300 or 500 doesnt make sense in a Dos attack. And if you use a low value you start to get into problems.
We agree it will not work with distributed attacks but I dont think it can even work with single attacks since besides connection count it doesnt seem to be any more analisys behaviour.
The way I would make a script like that. Is to check all traffic and IPS all the time. And mark IPs that always access a server ass good ones. The newer the IP the more suspicious. On a attack this way real visitors would still pass but attackers will not as they are new ips. You can also match then the number of times its connecting, how long, etc.
I found this ddos deflate like script but made and optimized for csf i used it and it seems to work great, any one else there useing it,? its called csfprotect, anyone else using this script and its working good at blocking ips,
View 4 Replies View Relatedi have problem when using ddos deflate for ddos protection in my server,
i get this message,
Quote:
Banned the following ip addresses on Tue Aug 4 13:12:37 WIT 2009
67.21.44.60 with 4011 connections
ddos deflate is blocking my server ip, what's wrong?
: 67.21.44.60 not real my server ip just for sample
I use deflate to prevent ddos attack.
But after I start deflate, I still keep seeing a lot of connection from certain IP.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
87 218.86.252.158
363 219.150.191.62
501 60.216.238.212
I want to block those IPs permanently.
How can I do that.
I am using DDOS Deflate
[url]
I have a problem with NO_OF_CONNECTIONS.
The default is 150
For example, if a website has 200 thumbnails in one page, then the user will get banned.
But in my case, each time a user have only 1 connection(He only access 1 flv file each time).
So, is that safe for me to decrease the number to 20.
I can see a lot of IP having more than 80 connections, which I think they are ddos attack.
I have a few questions regarding (D)Dos Deflate:
How many " Connections " should I set it at before (D)Dos Deflate starts blacklisting and banning IP Addresses? It is set at 150. Should I make it 10?
Should APF Firewall be installed for this to be more effecfive? ( Note, I'm don't know much about Linux and this isn't installed. )
Number of seconds the banned ip should remain in blacklist? It is a at 600 by default. Shouldn't this be infinite?
Quote:
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
1-i have CSF installed and thinking to install DOS-Deflate 0.6 but not sure if any Conflect between CSF and DOS-Deflate 0.6. Any Idea..
2- How Safe to use Kloxo for one Domain for personal use ..
I made a thread about this in programming as I was trying to figure it out but I ended up tweaking dos deflate a lil and got it working. Tried and tested as well during low bandwidth syn flood. Keep in mind if you are having massive syn attacks then most of it will have to be filtered on the network level. I have filtering from staminus on my server, this is just for the low bandwidth stuff that gets through.
Syn-deflate is just a name I came up with as it is based on dos-deflate, only a few changed features. I dont know how medialayer would feel about me modifying their script this way I know they got lisence and copywrite on it. Guess I will talk to them about that before any official release.
especially about the csf version.
So I always have used some dos deflate features to monitor dos in my servers, just the netstat command. This one:
Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Today, got a syn flood coming through, low bandwidth, etc. Each ip connecting under the tracking limit for csf. So I tweaked the netstat command a lil bit and I was able to see what ips were sending syn and how many times.
Like this:
Code:
netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
So I figured it would be very handy to ban ips sending over so many SYN_RECV connections at once. So I took dos deflate and tweaked it a lil. Made this to work with csf. Only problem on csf is there is no unban command, only whitelist so I just had it do csf -d again on the unban command, This would give an error and would not unban the ip but you really dont need to unban it so soon.
With apf it works perfectly on unbanning. Works just like dos deflate but bans syn flooders not connection flooders. You could even use this along with dos deflate. I am using it along side of csf and the connection tracking feature no problem.
I plan on releasing some what of an official version too along with some other tools to monitor and stop dos. So whoever is interested or can offer some advice let me know.
For those who wanna give it a try:
For the CSF version:
To install:
Code:
wget[url]
To uninstall
Code:
wget [url]
For the Apf and Generic Iptables version:
To install
Code:
wget [url]
To uninstall
Code:
wget [url]
uninstall.synd ; ./uninstall.synd
I didnt get to try the apf version out much but have used the csf version all day with no issues
Note to makers of dos-deflate: Im not too keen on all this licensing stuff or what I am supposed to do when I modify someone else script so let me know what I need to do to keep from making anyone mad.
Whatever i try to modify configuration there is no way i can get file delivered by apache or NGINX to be deflate/gzip compressed.
OS: Debian 7.7
Plesk version: 12.0.18 Update #33
I've tried to add these lines to Nginx (Vhost directives) but it change nothing :
# Gzip Settings
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 4;
gzip_http_version 1.1;
gzip_min_length 1100;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/x-javascr$ application/xml application/xhtml+xml application/xml+rss;
gzip_vary on;
gzip_static on;
gzip_proxied any;
gzip_disable "MSIE [1-6].";
I also tried to disable Nginx and configure deflate in apache with following lines (Vhost directives then in a file in apache2/conf.d) but it is the same ...
<IfModule mod_deflate.c>
# Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)s*,?s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
[code]....
I have been trying to enable server-wide compression using deflate.My server is running a fresh install of plesk panel 11 installed over a fresh centos 6 64. The configs and settings (aside from files I mention) have not been changed at all from default.
I have created a new file in /etc/httpf/conf.d/deflate.conf This file is being included when Apache is restarted, so that's definitely working and the html doc compresses. But not matter what I do (I have tried every combination Google would find) css and js files will not compress. At my previous workplace we also used a Plesk server and nobody could ever get compression working there either.
it's come under my attention that dragonara.net has been ddosing me today since morning from the ip:
194.8.75.229
What's so ironic about it is that the ip is from a UK DDOS protection site so i'm expecting some email with their services in the next hour or so. Stay clear of them they are fakes and e-terrorists.
I am looking for some good ddos protection providers, via protected dns. I've searched on internet, but most of them are really expensive.
Please tell me some ddos protection providers what could help me.(gige is too expensive btw).
And I found some ddos protection scripts. How can a script protected a server from ddos? A sript like CSF or DDoS deflate?
I've been getting VERY high packet loss to my VPS for around 10-15 minute periods over the past month or so (No patterns or specific times, totally random when it occurs) with my provider's Parallels Business Automation control panel reporting "Server is down" along with the VZCP on the node being inaccessible. I opened a ticket with my provider and they told me that they experienced a DDoS attack on the node my VPS was hosted on.
However, I get the feeling that they are giving me some crap to stop my pestering them about the packet loss all the time (I mainly use my VPS for providing VoIP services which use UDP so the packet loss is devastating).
Anyone got any views on this?
Also they keep offering to move me to a diffrent node but they say they can only do that by giving me a new IP address and I would have to backup all the data and restore it manually, myself. Any views on this as well?
I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.
View 11 Replies View RelatedWe are getting ddosed badly.. Last night httpd reached max clients and httpd wasnt able to start up.
View 3 Replies View Relatedwe had a bad ddos to on of the sites we were hosting, the ip of the ddos was blocked in apf and iptables, but for some reason it still got through we had to have it blocked in the router, we installed CSF into our server hoping for a better firewall does anybody know why apf could not hold back the ip im open to suggestions,
View 2 Replies View RelatedI have got pretty big problems with my VPS, some of my sites getting DDoS'd a log. I have no idea why and who DDoSing them
I have csf, apf and DDoS Delfate installed but it seems they can't take those attacks down. I know for mod_evasive but it works only on small attacks, I getting pretty strong attacks
I need some way to configure csf better, what I need to edit in /etc/csf.conf to block IPs if the same IP trying to connect to server more that 10 times. I need everything what I could edit for csf to block IPs faster
About DDoS Deflate, he is configured to works with apf, can I configure it to works with csf and how? How to configure DDoS Deflate better, to block IPs faster
Also, another problem with csf is that when I restart csf(service csf restart) he unblock all blocked IPs and I have to block them again
How to see blocked IPs by iptables?
I running lighttpd at the moment but I thinking to change it with Litespeed(free edition), what do you think about it?
I hope I will get some help here. Aslo,would be interesting to hear how do you guys protecting your servers from DDoS(if you getting DDoSed
we have a 100mbut connection and with a normal traffic we use about 40-50mbit but from friday seem that we are under attack this is the stats from the fastethernet
inbound 20427 ucast pkts/s
outbound 5547.5 ucast pkts/s
inbound 85793.9 Kbit/s
outbound 8211.98 Kbit/s
we have reach also for 4 hours 100mbit and all the server was offline, we have contact the datacenter and they say that not is a ddos attack because the traffic come fom our server and not from outside the net, so look as we have a hacked server that is making all this traffic, how can w found the problem? we have about 130 server on this connection
If you were under a DDos attack, what commands would you execute to confirm this?
Is it normal for high traffic sites with 3,000 concurrent apache connections from running this command?
netstat -n | grep :80 |wc -l
what would happen if you changed the server IP to 127.0.0.1?
View 4 Replies View RelatedMy server is using too many httpd process..I think iam under DDOs attack..I executed the following command..
netstat -an | grep :80 | sort
and the result is this
tcp 0 1491 ::ffff:95.211.10.169:80 ::ffff:213.215.100.110:2263 LAST_ACK
tcp 0 1493 ::ffff:95.211.10.169:80 ::ffff:85.207.126.231:52694 LAST_ACK
tcp ....
The DC installed Squid. It manages the load fine but the php code on my page is cached and doesn't work.
Is there a way to get squid to not cache php? in that httpd can directly call php while squid does everything else?
Hey guys If there was a way to have the ips of the dedi change constantly would this help prevent ddos attacks or would there be no difference if the domain was being attacked.
View 2 Replies View RelatedOK well today I found out my server was being DDOS'ed
And I know which domain is being attacked with hundreds of IP's. I am running Cpanel / WHM but I have no idea how I can stop this?
Any ideas or suggestions? Maybe redirect the DNS? to a invalid ip? But I'm not sure how i can go about doing that?
I have a problem with a customer. For the last 48 hours he has been receiving a massive DDoS at his server. I tried blocking the darn IPs but they keep coming and with several hundreds of connections each:
104 78.157.168.98
125 83.226.157.91
126 89.103.109.65
131 89.12.150.23
135 84.251.196.78
135 86.122.0.135
135 91.127.235.86
154 84.24.14.41
160 193.216.140.101
331 89.151.8.78
419 78.0.103.64
Apache has over 14000 connections. I tried using mod_evasive but didn't do anything and the server has been out without httpd for hours now. Any advices? This is a Hsphere server (I hate it personally) with 4GB RAM and a dual optero 246. I have the mexclients setting at 550.
I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,
Do you have any idea about this?
What should I do now?
Our server is in attack since 4 days. Http port busy all the time.
When I type :
netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5
It shows :
[root@ ~]# netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut
-d: -f1 | sort -n| uniq -c | sort -n | tail -5
2 65.19.130.24
2 83.149.120.9
4 204.15.73.243
35 222.254.103.142
5128
[root@ ~]#
I wonder the hidden IP of 5128 ??? How to know it?
