Web Hosting Talk






PDA

View Full Version : DDOS Attack? Please Help

LCHwebHost
09-02-2003, 08:55 AM
Hi,
A user keeps running the following:

6-0 2842 0/16/16 L 0.30 1681 0 0.0 0.05 0.05 38.114.3.126 (unavailable) GET /search.php?keywords=used%20car%20prices HTTP/1.0
7-0 2843 0/18/18 L 0.05 1703 0 0.0 0.24 0.24 38.114.3.126 (unavailable) GET /search.php?keywords=fantasy%20football HTTP/1.0
8-0 2844 0/1/1 L 0.00 1841 0 0.0 0.00 0.00 38.114.3.126 (unavailable) GET /search.php?keywords=ask%20jeeves HTTP/1.0
9-0 2845 0/11/11 L 0.14 1716 0 0.0 0.52 0.52 38.114.3.126 (unavailable) GET /search.php?keywords=online%20lottery HTTP/1.0
10-0 2846 0/1/1 L 0.00 1841 0 0.0 0.01 0.01 38.114.3.126 (unavailable) GET /search.php?keywords=recreation HTTP/1.0
11-0 2847 0/2/2 L 0.01 1802 0 0.0 0.52 0.52 38.114.3.126

It seems to be some kind of script that just enters random keyworks and floods the server. How do I stop that? I already suspended the site and I ran this

iptables -A INPUT -s 38.114.3.126 -j DROP (that command is correct right?)

However I don't know if it blocked the IP or not. Can someone please help me stop him - thanks!
rghf
09-02-2003, 09:00 AM
OK you are on the right lines. Personally I would do

iptables -A input -s 38.114.3.0/32 -d 0/0 -j DROP

To see if its working do

iptables -L -v

Look at tthe drop coloumn

Rus
LCHwebHost
09-02-2003, 09:02 AM
Thanks for your reply. It says this:

Chain INPUT (policy ACCEPT 80002 packets, 16M bytes)
pkts bytes target prot opt in out source destination
1364 83116 DROP all -- eth0 any 38.114.3.126 anywhere
0 0 DROP all -- eth0 any 38.114.3.126 anywhere
0 0 all -- any any 38.114.3.126 anywhere
0 0 REJECT all -- any any 38.114.3.126 anywhere reject-with icmp-port-unreachable
0 0 DROP all -- any any 38.114.3.126 anywhere

I guess it is blocked right?
rghf
09-02-2003, 09:04 AM
1364 83116 DROP all -- eth0 any 38.114.3.126 anywhere

Yeah the is dropping connectiong to them

Might be also worth reporting it to abuse@cogentco.com

Rus
dan_erat
09-02-2003, 04:11 PM
jvds: Do you mean /24? 38.114.3.0/32 isn't going to match the traffic that the original poster wanted to block.
rghf
09-02-2003, 06:05 PM
yeah I do...thanks for the headsup.. Tired when posted :)

Rus
dan_erat
09-02-2003, 07:57 PM
Since this is PSI, home of the pink contract, you might be better off just using 38.0.0.0/8. :)