I have a server with burst.net since this month. But it always down with same reason, it almost down every 2 days (it is down again, when i am writing now). And it usually take about half to 1 day time for burst.net to reboot it. The reason is that someone send hundreds of http request to the server at once, and coursed out of memory. Since burst.net still can't solve the problem for more than 2 weeks, i help your help. Do anyone know how to find out who sent the requests and how to block their requests?!?

Thanks

seems like you are being dos'ed

What kind of website do you run?

i'd suggest shutting down your webserver (httpd) if this keeps on happening, have burst.net assign you new ips.

to shut down your webserver, type these commands if you can ever get in your server.

type this:

killall -9 httpd
/sbin/fuser -v 80/tcp

Then if you still see process's named "httpd" after fuser..

then kill the pids.
but killall -9 httpd should do it

one final thing, how are you positive someone is sending mass amounts of http requests causing your server to go down? shouldn't it already be lmited in httpd.conf?

reply back

Oh, and if you suspect they are dos'ing the straight domain (which dns'es to one of your server ips)

it's alwyas funny to temporarily change yourdomain.com's dns to 127.0.0.1 or if fbi.gov :D

just till things cool down
=P

If that happens again while you are on the server, and you do not have apache with tcp wrappers, make sure to deny him at the firewall. Denying him with apache will slow down the attack, but still will be lagged.

Originally posted by node9
Oh, and if you suspect they are dos'ing the straight domain (which dns'es to one of your server ips)

it's alwyas funny to temporarily change yourdomain.com's dns to 127.0.0.1 or if fbi.gov :D

just till things cool down
=P


Oh that is so [i]evil[/], I like it :laugh: :laugh: :laugh:

lol.. thats a good idea, one the best ive heard so far ;)


on a more serious note, check the domains logs to see which ip is sending those requests.. in-turn deny all connections from that ip...

pretty easy eh?

yes
However, if it is more than one ip, like a syn flood to port 80, you are screwed. <-- this is where the changing the domain's dns to fbi.gov or anything would come in.

If it is just one IP, check the access_log file and get the IP

when you get the IP type this

ipchains -A input -s 123.123.123.123 -d 0/0 80 -p tcp -j REJECT

get the IP, and dns it. If you think it's a dial up account, and its a dynamic ip, you might want to deny the entire C class. Can't be loosing too much.

e.g. if the ip is 64.19.84.87

you deny the entire c class, 64.19.84.*

YOu do this by typing:

ipchains -A input -s 64.19.84.0/24 -d 0/0 80 -p tcp -j REJECT

note: you must be root when typing these commans.

for the future, you might want to install iplog on the box, so you can atleast see what the f*** is going on.
lol

You can get iplog here:
http://freshmeat.net/redir/iplog/4532/url_tgz/iplog-2.2.3.tar.gz

Just cd /root
wget http://freshmeat.net/redir/iplog/4532/url_tgz/iplog-2.2.3.tar.gz

tar xzvf iplog-2.2.3.tar.gz
cd iplogDIR
./configure
make
make install
If it asks you to instal llibpcap
run cd ..
wget http://www.tcpdump.org/release/libpcap-0.6.2.tar.gz
tar xzvf libpcap-0.6.2.tar.gz
cd into the dir
./configure && make && make install
cd ../iplog-2.2.3
./configure && make && make install
then run

/usr/local/sbin/iplog --udp=true --icmp=true -zxnpbSPty -w -l /var/log/iplog.log

then tail -f /var/log/iplog.log

-node

Thank you for all your replies.
The server was up again few hours ago. I use my server to host some sites (about 100). Until now i don't know who/which ip sent the requests to my server, just waiting for burst.net to find it out. At the beginning, burst.net told me that the server was down because there were more than 200 http requests at once on the demo account(setup in WHM) of the server. Then i deleted the demo account (i forgot to see the log), i think the problem would be solved. However, he changed his target, and sent requests to onther accounts on the server, and coursed it down. I am still finding which accounts were attracked by him...maybe burst.net will find out very soon....

Hi,

What is being dos'ed??

DOS stands for denial of service attack, basically to put is simply when somone sends a packet to your machine your machine sends a packet back, when someone starts sending a whole bunch of packets at the same time your server has a hard time processing the requests in a timely manner, which can result in it not being able to respond to legitimate requests for information.

In case anyone feels the fbi might actually do something about these attacks, here's the place to report them:
http://www.nipc.gov/incident/cirr.htm