Security To Stop DDoS Attacks And Stuff
May 19, 2009
My host tells me that they have security to stop DDoS attacks and stuff, however today my server load jumped to 17.12 and my site went down giving me a "Network Timeout" error.
My host tells me it's my fault that I am using too many resources. The MOST my site has been on load is 3.06 and that was around lunch time a few weeks back. It's 11:43 and the server load is 17.12? I think my host is pulling my leg. I have not added ANYTHING new to my site and have not changed anything in 3 days. The load has been fine till today.
I use In Motion Hosting.
View 14 Replies
ADVERTISEMENT
Dec 6, 2008
i am getting hundreds of theses in my mail log each day, trying different names etc and want to put a stop to them and auto ban the ips.
I have APF
View 2 Replies
View Related
Mar 9, 2008
I have a VPS that's on the awknet network and I'm receiving DNS DDoS and I don't think they have anything to stop these attacks, how can I prevent these?
View 4 Replies
View Related
Jun 25, 2008
one of my costumers server is getting ddos attacks. I solved syn and get attacks with litespeed web server but I have another problem. They started to do udp flood. I m losing connection to my server. I bought new server with 1 gbit port for solving it.
View 3 Replies
View Related
Mar 31, 2009
This is a quote from an unrelated thread in the Dedicated Server Forum, I didnt want to hijack the thread so thought I would bring my question over here:
Quote:
Originally Posted by HRDev Hady
I believe they use BurstNet, which isn't really a good choice for DDoS-prone sites as their Top Layer devices don't seem to handle attacks very well in my opinion. If you're running a DDoS prone site, you'd likely be better off with a DDoS-specialized provider such as Awknet, Staminus, or Black Lotus. But as mentioned, a lot of attacks can be stopped simply by proper tuning of your IP stack and some simple firewall rules.
My question is as a new Dedicated Server Owner what tuning and rules do I need to implement in order to protect me from these "small scale DDoS Attacks"?
I do not run a DDoS prone site(i hope not lol) but I want to secure myself as much as possible and have a headache free run other than the headaches I cause myself of course.
View 5 Replies
View Related
Aug 3, 2009
I want to understand the mechanics of a DDOS attack. I have been doing a lot of reading about them this weekend.
The way I am understanding it, a DDOS attack is done at the network level. It may be requesting that pages from a given website, or websites, are served up, but it basically will effect the entire network. So if 'page display' requests are made to a website(s) that is hosted at ABC Hosting (example only), to the tune of 15GBs then I have to assume that the network will be terribly degraded. If that is so, wouldn't other servers also get taken out?
I believe the architecture of the internet is something like this (example only):
Gnax --> Planet, SoftLayer, RackSpace, etc.. --> Reseller --> Smaller Reseller --> Me
If that is true, is each level along that route using their own networking system or are they all dependent on ones that major Data Center uses?
View 14 Replies
View Related
Jan 12, 2009
My current site has been taken offline since it was being ddos attacked, been with my current hosters for 3years at least, but with recent events they gave me the option to shift my site to a dedicated server or me to move of bascially. (impression I get now, since they seem to be taking longer to reply to my messages) I was being ddos attacked since I refused to give a copy of me software to the visitor at my forums/site.
ive been looking round site after site and I cant make up my mind who to shift too, also if that same idiot who ddos attacked me does it again before I can take any action, I would be in the same situation again.
I have multiple domains and all my sites in total are about 5gig in size, cpu usage is avergae and queries roughly about 15/17 the most, I currently pay £130.00 a yr
I have had few bad experiences with hosting companies but learnt along the way, and assumed my current hosters would be a reliable place to stay at. My sites been offline since friday and I would like to get it back up again asap. Last thing I want to do is rush into a hosting package and be stuck in a dud situation.
I would also like to take action upon the person who has been ddos attacking me, I managed to get hold of his details and I also have confirmation that they are correct, what can be done legally?
View 14 Replies
View Related
Mar 23, 2009
My sites are getting heavy DDoS attacks.
What's the best firewall? I'm currently using ACH software firewall but the attacks are getting so bad my site's are going down (apache is shutting down/locking) and sometimes my server even crashes.
Anyone recommend a better software firewall or a really cheap but good hardware firewall?
Could my host just use a router or something as the firewall or would that not do? I'm looking for something really affordable as a solution.
View 14 Replies
View Related
Mar 14, 2008
Some of my websites have been under a DDOS attack for about a month now. Is there any way I can find who is behind this attack and what their motive is?
How much does it cost to launch a DDOS attack and how long do they usually last?
View 14 Replies
View Related
Aug 22, 2008
i have a shared host
my site under ddos attacks!
i want to upgrade to Dedicated Server
i needed to Dedicated Server contains DDOS protection!
btw: Site visitors 2500 in day!
View 2 Replies
View Related
Nov 24, 2008
how to prevent my web servers from DoS attacks?
View 12 Replies
View Related
Jan 24, 2007
I know there is no device can protect you from ddos attacks, but I wonder which one is the best to help you reduce the attacks? It might be intelligent to "feel" the attacks? Brand names from Cisco, Foundry, Nokia...?
View 2 Replies
View Related
Mar 18, 2008
As many of you already know, not everyone has the money to spend on physical firewalls, for example a cisco firewall. I would like if everyone could share little tips and tricks towards securing a server they learned over time. Nothing in big detail. I thought if we all share our ideas, it would help quite alot of other people. For example, here is a good layout I believe. Please note this is towards a game server setup.
Shorewall Firewall - Block Unneeded Ports + Block Ping
Apache Web server - Installed with "mod_security"
SSH-Faker - Stop thoes bots from trying to gain access to SSH (Guessing Passwords)
DDoS Deflate - For me, does not really work. (I know, mainly for port 80 so webhosting) But still have it installed.
Bash Scripts Monitoring # of connections per ip with Netstat.
PSad - Monitoring and Reporting Port Scans (Optional automatic timed block)
VNStat - Monitor Current/Monthly/Yearly Bandwidth (Does not hog resources)
I'm guarenteed to of left alot out than just the above. If some of you could also share some simple things you do for securing a server, would be great.
View 8 Replies
View Related
Nov 24, 2008
Hosting providers and DDoS attacks!
Hello guys! I am looking for a reliable hosting provider! I mean the most important thing for me know is to be sure that my future hosting company will manage to protect my websites against DDoS attacks fully! What hosting company according to your opinion can be considered as the most stable hosting solution against DDoS attacs?
View 11 Replies
View Related
Apr 2, 2009
How does Hivelocity deal with DDos Attacks?
Do they have any similar protection to ThePlanet or Softlayer?
View 5 Replies
View Related
Jul 23, 2009
I believe that my site is being DDoSed against, and I'm wondering how I can prevent this from happening.
I'm running CentOS 5.3.
Are there any server side scripts of PHP scripts that could be used to dynamically block out IP's that are consuming too many resources on the VPS?
View 14 Replies
View Related
Jun 12, 2009
Let's say my site was getting DDOS'd. Let's say I suspected I knew the attacker's home IP address. Would there be anything I could do with this information to either end the attacks or penalize the attacker?
View 4 Replies
View Related
Jan 12, 2008
Can you restart the httpd to get the server online again while you are under an DDoS attack?
The reason for asking is that I was told that when restarting the httpd it should start to work again instantly, and so it seems.
But why? doesnt the attack "continue" after the restart?
View 14 Replies
View Related
Apr 21, 2008
I am about to get dedicated server with Gigenet.com.
Is this company good as they say they are?
How stable is it?
Can they really handle multi gig DDOS attacks?
View 6 Replies
View Related
May 21, 2007
One of the sites I run is a forum with a political component, and 4-5 times over the last week we've been seeing DoS attacks. They're not terribly sophisticated -- generally 1-3 compromised servers throwing packets my way -- but they're enough to clog my pipes and take my sites down.
What I'd like to do is put a new server up at a data center that's D(D)oS aware that can hopefully respond to these attacks automatically. My current provider has been giving solid support, but the best they can do is null route the affected IP, rather than filtering the incoming attack.
Can y'all name a few providers I should look into? Right now I'm just looking to move 1 box (or maybe a box and a firewall depending on the setup).
View 9 Replies
View Related
Nov 15, 2007
I have a problem with a hacker from China. He keeps uploading 4 files to my server:
mail.php
mysql.info.php
footer.txt
header.txt
He did this with 4 different accounts so far.
I have mod security installed with the ruleset from gotroot.com but it doesn't help. Now my questions:
1. Where can I download the mod security core ruleset (is it helpful anyway ?) I already found this page [url] but I do not see a "download here" link anywhere... I found the link that points to [url] but then I do not see the mod sec ruleset anywhere...
2. The rules on gotroot.com have not been updated for a long time. Are they still useful ? What do you think ?
3. Any other sources for good mod sec rules that may resolve my issues with PHP exploits.
View 7 Replies
View Related
Dec 26, 2008
Can someone please recommend a hosting company that offers 24 hours toll free phone support with very good DDOS protection services?
Our server has been attacked for the past couple weeks and current host can just null route the IP being attacked but cannot offer anything beyond that...which does not help us. We are talking about large 3 GBPS attacks.
View 14 Replies
View Related
Apr 19, 2007
For 2 weeks I am under DDoS.
The type of DDoS is the one that comes from DC clients.
I have managed to mitigate the attack and to get everything working ok.
I do not like the solution I came up with for many reasons and I found that squid can be good on stopping bad requests like the one that DC clients send when the attack occurs.
I am kinda new to squid and I do not know all the settings.
I have configured It and everything works great when there is no DDoS.
But when the attacks starts , nothing works. Squid does not log anything in access_log and also, there is no load, just a lot of connections to squid.
Is there a limit for max concurrent connections in squid ?
Or the ideea of using squid as a reverse proxy without caching, just to stop bad requests is a bad one ? (I do not need snort-inline, I have some issues with it).
View 2 Replies
View Related
May 9, 2007
Before when they attack my site I can't stop them. Now at I can but I have to monator the server all the time and execute this program :
Code:
#!/bin/bash
#Collecting list of ip addresses connected to port 80
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 > /root/iplist
#Limit the no of connections
LIMIT=5;
for ip in `cat /root/iplist |awk '{print $2}'`;do
if [ `grep $ip /root/iplist | awk '{print $1}'` -gt $LIMIT ]
then
echo "5 connection from $ip... `grep $ip /root/iplist | awk '{print $1}'` number of connections... Blocking $ip";
#Blocking the ip ...
/etc/rc.d/init.d/iptables save > /dev/null;
CHECK_IF_LOCALIP=0;
/sbin/ifconfig | grep $ip > /dev/null;
if [ $? -ne $CHECK_IF_LOCALIP ]
then
{
FLAG=0;
grep $ip /etc/sysconfig/iptables | grep DROP > /dev/null;
if [ $? -ne $FLAG ]
then
iptables -I INPUT -s $ip -j DROP;
else
echo " Ipaddress $ip is already blocked ";
fi
}
else
echo " Sorry, the ip $ip cannot be blocked since this is a local ip of the server ";
fi
fi
done
It's block any connectin that has more than 5 connections.
My problem now that when I left my pc and when I come back my server can't response.
I used this to let it work every minute :
Code:
SHELL=/bin/sh
0-59/1 * * * * root /root/ddos/blockip5.sh >
and put it here /etc/cron.d/anti-ddos.cron
Is there any advice about it ? to let work all the time not every minute. like every 5 second.
I found that when I left my pc and come back to run this script I can't login to the server I have to reboot it then log again.
This message come from support :
In the past 12 Hours we have seen a maximum of #35 mbps and an average of 12 mbps of malicious traffic being sent to your server
I am using APF and also I use DDoS-Deflate version 0.6 and evasive mod.
Any more advice ? they keep attacking me for more than 1 Month 24 hours
View 3 Replies
View Related
Jul 7, 2009
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
View 9 Replies
View Related
Jun 22, 2007
I've seen many posts in the past few months about people under attack who were not able to handle things themselves, and who made statements along the lines of DDoS mitigation services that one has to pay for are too expensive.
First, I will state that my company does offer those services, and they are not cheap. We offer DDoS mitigation services for hosting/colocation/internet providers who can then resell it to their customers. I state this so that you know that I do have a bias here, though everything I state below is fact.
1. There are free open source tools that can help. Apache modules, IPTables scripts that extract info from netstat or syslog, and I know one guy who is puting together a kernel module. Most of these can stop small scale attacks, and are quite interesting to set up - if you like the technical end of things.
2. Most botnets have more than enough zombies to overpower #1 above.
3. If you have a 100 MBPS pipe to the internet, it doesn't take 100 MBPS of traffic to saturate the pipe and take it down. Enough small packets can overload a router's ability to process, and 10-20 MBPS of traffic can take out the router.
4. There may be a few ways to deal with this, though the best in my experience has been to place an intrusion prevention system (IPS) in front of the router. I have a number of friends in the industry who work at companies where malware is analyzed, and where they work with law enforcement to try and identify the attacking parties. This can be a lengthy process and will not often get a site / router back up quickly, though can be very nice in the long term.
5. Not all IPS are equal. I'm not going to name brands, but I've seen one $50,000 box that had gigabit links die after about 80 MBPS of DDoS traffic. If you're looking into IPS, make sure you compare what they actually do, and talk to people who have implemented them.
6. The majority of the IPS that we manage for our customers and that we implement when we have a new customer under attack are from TopLayer. There are three reasons for this; Their IPS actually works the way you would expect it to (the gigabit model can handle a gigabit of DDoS traffic); If there is something that the IPS can't block, we call their dev team who will work with us to figure out a way to block it; And they give us the best deals.
7. Implementing an IPS is not cheap. The suggested retail price for a gigabit level IPS is about $80,000 USD. Consider that a hosting/colo/service provider who has a two gigabit pipe will need two of these.
8. Managing an IPS takes a special skill set. The people with this skill set are usually expensive to hire as employees, and while I've known a few service providers where the chief technical guy (often a partner in the company) has been the one to manage the IPS, this guy has a lot of other important things to do, and doesn't usually want to be woken up at 2am every few days when there's a significant alert from the IPS.
9. Contracting out IPS management and monitoring can run anywhere between $1,000 and $2,000 per month depending on service options, response times, and contract length. This will usually include remote monitoring of the IPS from a security operations center (SOC), and a lot of escalation options on how to deal with attacks.
10. If an attack is using mechanisms that can get past IPS protections (I will not list them here to give people ideas on how to get around IPS protections, though if anyone is in the field and would like to talk about this I'd be more than happy to do so), then there will need to be escalation options at additional fees from other companies who specialize in that particular area. If subscribing to managed services such as #9 above, then these options should be listed with pricing knowledge available to the customer beforehand. In fact, the company offering the managed IPS service should manage the interface between their customer and the escalation company (we certainly do, and that's one of the things that our customers have been very happy about).
11. Considering #7 through #10 above; the cost of buying/leasing an IPS, managing the IPS and/or paying service fees, and escalating technical work in the event that there is something outside the scope of what can be mitigated using the standard tools, it is more than reasonable for a service provider to charge a significant amount of money to their customers for protection readiness, attack mitigation, and emergency setup fees in the event that there is a situation where a customer is being attacked, needs the service immediately, and has not been paying for protection.
12. A service provider will turn off (null route) their customer when the impact of an attack affects the rest of their customer base. If an attack takes out a full 2 GBPS pipe that they have for all their customers, and null routing one customer is the way to keep the other 1,000 customers up, then that one customer will be null routed. It is a sound business decision. In cases like this, there are options for how to deal with that customer, and that customer will have to decide if they are willing / able to pay for said options.
View 8 Replies
View Related
May 10, 2007
How do I stop the common cpanel/whm "domain mismatch" security warning popup for good WITHOUT the need to install a server hostname certificate and access through that.
Is there a way to save the cert in the browser? I could not find that option and I am using Firefox 2.
View 1 Replies
View Related
Apr 16, 2009
I am intending to setup a network as the following:
NOC1:
Cisco/Dlink Managed Router
Firewall with DOSS protection
Server1
Server2
Server3
Backup Data Bank Drive
NOC2:
Cisco/Dlink Managed Router
Firewall with DOSS protection
Server4
Server5
Server6
NOC2 are backup servers. I will need to have whatever in NOC1 to be written to NOC2, i think is call IP mirroring or RAID , not too sure
My [url]is going to have nameserver1/2 to zoneedit. Zoneedit hosts reliable DNS servers. It also support something call failover.
So if NOC1 is down, i will switch to IP to NOC2 IPs.
Now, if i face a DDOS attack, i am suppose to switch to a DDOS attack managment company (with big bandwidth and blocking), is it as simple as switching the [url]to the DDOS attack management company using zoneedit and the company will than link back to my noc1/2 ?
How does it works?
Is the way i setup the network correct?
View 14 Replies
View Related
Aug 1, 2007
This is a instructional overview thread for those developers who are getting into setting up their own server with a LAMP (Linux Apache MySQL PHP) setup. The linux distro referred to in this thread is a centOS (fedora|redhat) setup.
Before Anything
- Make sure that your actual RAM is the same amount that is displayed by the server (there could be some BIOS restrictions on RAM so check for that).
Linux OS Installation
- Use a server system for the type of install.
------------------------------
- Setup you partitions with care:
- Make sure that everything other than /swap is an ext3 partition type.
- /swap (usually double the amount of space that your ram has but never larger than 4 gigs.
- /tmp (700meg is ok).
- /boot (100meg is ok).
- / (leave rest of the available space in the harddrive for this).
------------------------------
- Use GRUB boot loader
- Use DCHP only if your IP address changes due to the network. If not, then assign the IP address of the box.
- Assign the netmask if DCHP is not in use.
------------------------------
- When setting up the packages, select only what you need. Most of the time it's better to just install no packages and then install everything you need by yum (yellowdog update manager). If you do not select any packages, only the 1st CD of the linux install will be needed.
Linux OS Customizing
- Create a new user and provide it a password (with # passwd). Do not create a user with a generic or commonly known names used in any daemon programs (ex. mysql, apache, admin, user, php, postgresql).
- Disable the ROOT login in SSH (this means that when you login using the other user with SSH, you'll have to $ su to the root user).
- Install "Development Tools" with yum using group install if you plan to compile your own apache. If not then install apache with yum install apache.
Apache Settings
- Disable the extensions that you're not using for your website. If the server is only hosting one website, then there is no use for Virtual Hosts.
- Set the ServerLimit value to a suitable value so that users won't get locked out of the website.
- Change the User and Group directives to the newly created user.
- Set Options +Indexes to Options -Indexes so that the contents of directories w/o an index file will not be displayed.
- Change the DocumentRoot setting to the newly created user's home (~) directory. Or if you plan to use the default (/var/www/htdocs or /var/www/html) then assign the permissions of the user to that directory.
- Add apache as a start up program when the operating system boots up (this can be set in /etc/rc.d/local).
- Setup logs accordingly. If you setup image logging and your server has 20+ images per page then your website performance can suffer.
- Setup Error Logs to a suitable level.
- If any web pages are not displaying and the web server appears to be on when accessing it from the localhost (wget http://localhost) then disable or flush the iptables (/usr/sbin/iptables --fliush). You should also set this as a start up option for the OS.
- Use mod_rewrite to use modern URLs.
MySQL Settings
- Use --skip-name-resolve.
- Use --skip-bdb (if you're not using it).
- Use --skip-innodb (if you're not using it).
- Set a log for slow queries.
- Set the max_connections to a high value.
- Do not set a user with a wildcard ip-address. Only setup users with a specific ip.
- Use Query Caching for frequently used queries.
PHP Settings
- Disable Magic Quotes.
- Disable Register Globals.
- Disable Short Tags.
- Disable ERROR REPORTING if the website is not in development mode.
- Enable HTTP Only Session Cookies.
- Set Session Cookies to only be cookies (and not URL's).
- If sessions do not work, then set the session save path to a directory where the apache user has access to.
- Use Gzip Compression.
Optimizing Concepts
- Use an optcode cache for PHP (Eaccelerator).
- Consider using a static domain for CSS and JS files (this way the same cookies for the website won't be sent on each request).
- If your website uses alot of CSS and JS files per page, bundle all of them together into one request using mod_rewrite and php [url]
- For Apache, use the lingerD module (this reduces the amount of resources that are used when an apache connection is closed).
Here are some links for optimizing your server build:
- [url]
- [url]
- [url]
View 1 Replies
View Related
Nov 5, 2009
I am looking for a new supplier for colocation related stuff like shelfs, powercables, tyraps, etc etc. A shop which has most of the items which come in handy when you are in a datcenter.
Location does not really matter if they can ship :-)
Let me know where you get your stuff.
View 8 Replies
View Related
Feb 19, 2007
Quote:
Feb 19 15:57:39 server proftpd[1363]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:06:02 server proftpd[1982]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:06:02 server proftpd[1982]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:14:24 server proftpd[2471]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:14:24 server proftpd[2471]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:22:46 server proftpd[3062]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:22:46 server proftpd[3062]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:31:09 server proftpd[3696]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:31:09 server proftpd[3696]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:39:31 server proftpd[4185]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:39:31 server proftpd[4185]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:47:53 server proftpd[4946]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:47:53 server proftpd[4946]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 16:56:16 server proftpd[5495]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 16:56:16 server proftpd[5495]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 17:04:38 server proftpd[6206]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 17:04:38 server proftpd[6206]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 17:13:00 server proftpd[6661]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 17:13:00 server proftpd[6661]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
Feb 19 17:21:23 server proftpd[7225]: server.com (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 19 17:21:23 server proftpd[7225]: server.com (127.0.0.1[127.0.0.1]) - FTP session closed.
I see over a few hundred of these lines in /var/log/messages. The timestamp is exactly the same for every 2 lines (Proftp session- Opened and Closed). It's occuring every hour of the day. Is someone attacking the ftp daemon or something?
View 3 Replies
View Related