Results 1 to 23 of 23
-
08-27-2009, 11:08 AM #1Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Ddos Attack, csf: DENY_IP_LIMIT (100)
Hello,
Am getting Dossed, and still.
I run this command
Code:netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk
Code:1 0.0.0.0 1 117.200.2.199 1 122.162.130.104 1 125.167.58.26 1 15.211.169.107 1 188.132.103.230 1 188.132.21.26 1 188.132.22.142 1 188.132.4.161 1 188.132.75.225 1 188.161.128.220 1 188.161.206.221 1 188.161.227.248 1 188.161.238.75 1 188.161.241.55 1 188.248.152.85 1 188.248.57.193 1 188.48.197.219 1 188.48.22.85 1 188.48.27.17 1 188.48.31.66 1 188.48.67.229 1 188.49.123.17 1 188.49.57.18 1 188.49.75.117 1 188.50.109.49 1 188.50.35.167 1 188.50.48.35 1 188.50.65.122 1 188.50.65.154 1 188.50.83.118 1 188.50.8.87 1 188.51.14.108 1 188.51.40.78 1 188.51.88.139 1 188.51.97.124 1 188.52.100.22 1 188.52.10.179 1 188.52.111.76 1 188.52.26.214 1 188.52.6.138 1 188.52.75.180 1 188.52.82.17 1 195.189.143.55 1 195.229.241.173 1 196.1.219.162 1 196.12.236.112 1 196.12.236.19 1 196.12.242.147 1 196.1.232.104 1 196.205.228.10 1 196.205.232.17 1 196.206.185.120 1 196.206.203.185 1 196.206.224.61 1 196.217.31.89 1 196.217.36.63 1 196.217.64.169 1 198.36.32.137 1 212.11.160.150 1 212.116.219.110 1 212.118.119.113 1 212.118.123.249 1 212.118.140.227 1 212.118.140.230 1 212.118.140.232 1 212.118.140.233 1 212.118.142.228 1 212.118.142.229 1 212.118.142.74 1 212.215.152.110 1 212.62.97.20 1 213.166.134.177 1 213.178.224.168 1 213.188.81.213 1 213.236.48.96 1 213.236.52.108 1 213.6.122.163 1 213.6.210.170 1 213.6.220.7 1 213.6.255.139 1 213.6.68.124 1 213.6.72.127 1 213.6.75.85 1 213.6.80.51 1 213.6.86.21 1 213.6.93.125 1 217.194.135.6 1 41.100.148.66 1 41.102.27.164 1 41.102.41.67 1 41.103.168.124 1 41.105.114.219 1 41.105.22.190 1 41.130.31.148 1 41.196.224.192 1 41.196.246.235 1 41.196.80.60 1 41.201.168.163 1 41.201.39.231 1 41.205.120.252 1 41.209.112.162 1 41.209.113.50 1 41.209.75.253 1 41.214.174.91 1 41.214.179.216 1 41.218.14.148 1 41.218.31.180 1 41.224.99.190 1 41.225.176.33 1 41.226.206.215 1 41.232.118.182 1 41.232.169.113 1 41.233.198.253 1 41.233.6.245 1 41.234.145.30 1 41.234.229.84 1 41.235.101.206 1 41.235.1.210 1 41.235.239.121 1 41.236.240.163 1 41.237.169.19 1 41.237.37.240 1 41.238.151.79 1 41.238.61.158 1 41.238.69.232 1 41.249.47.233 1 41.250.224.66 1 41.251.101.54 1 41.251.93.115 1 41.252.204.9 1 41.252.232.134 1 41.252.250.121 1 41.254.1.138 1 41.254.2.29 1 41.254.2.53 1 41.98.31.152 1 59.126.52.78 1 62.117.46.221 1 62.120.149.250 1 62.120.190.180 1 62.120.220.195 1 62.120.234.11 1 62.120.254.167 1 62.251.188.72 1 62.61.164.141 1 62.61.164.158 1 62.61.164.217 1 62.90.200.246 1 65.55.106.139 1 65.55.107.181 1 72.30.81.187 1 77.30.66.187 1 77.30.70.41 1 77.31.0.1 1 77.31.152.139 1 77.31.16.15 1 77.31.64.205 1 77.31.70.100 1 77.31.72.64 1 77.31.75.242 1 77.42.154.106 1 77.64.45.194 1 78.101.112.34 1 78.101.51.18 1 78.101.71.233 1 78.93.103.99 1 78.93.109.250 1 78.93.111.156 1 78.93.76.211 1 78.93.90.154 1 79.172.131.31 1 79.172.136.197 1 79.172.163.169 1 79.172.167.93 1 79.173.236.209 1 79.181.219.81 1 79.183.133.165 1 81.192.12.116 1 81.192.174.189 1 81.192.184.160 1 82.116.136.254 1 82.167.27.76 1 82.167.28.42 1 82.178.171.25 1 82.198.27.70 1 82.201.215.88 1 83.244.109.254 1 84.202.39.231 1 84.22.224.100 1 85.195.186.69 1 86.108.109.26 1 86.108.30.93 1 86.60.31.109 1 86.60.37.194 1 86.60.45.129 1 86.60.51.125 1 86.60.78.130 1 86.60.88.75 1 86.62.20.230 1 86.96.226.87 1 86.96.226.88 1 86.96.226.89 1 86.96.226.93 1 86.96.227.88 1 86.96.227.89 1 86.96.227.93 1 86.96.228.84 1 86.96.228.87 1 86.96.229.85 1 86.96.229.88 1 87.101.138.187 1 87.109.135.17 1 87.109.137.163 1 87.109.139.93 1 87.109.174.97 1 87.109.215.159 1 87.109.232.8 1 87.109.243.161 1 89.108.9.128 1 89.203.6.108 1 89.5.114.71 1 89.5.41.241 1 89.5.5.30 1 90.206.42.226 1 90.233.139.102 1 91.142.51.35 1 91.142.51.36 1 91.142.51.37 1 91.142.51.38 1 91.142.51.41 1 91.142.57.220 1 91.142.61.244 1 91.144.1.38 1 91.186.244.49 1 92.132.174.161 1 92.241.62.102 1 92.48.38.245 1 92.48.44.25 1 92.48.50.70 1 92.48.6.136 1 93.109.62.199 1 93.191.178.139 1 93.98.2.44 1 93.98.25.240 1 93.98.71.218 1 94.249.3.101 1 94.249.3.97 1 94.79.197.40 1 94.79.205.121 1 94.96.102.58 1 94.96.123.95 1 94.96.143.63 1 94.96.191.167 1 94.96.240.20 1 94.96.54.48 1 94.96.64.48 1 94.96.74.12 1 94.96.86.41 1 94.97.100.232 1 94.97.104.68 1 94.97.120.67 1 94.98.100.121 1 94.98.25.225 1 94.98.62.119 1 94.98.98.44 1 94.99.5.231 1 95.170.210.4 2 188.132.28.43 2 188.161.147.63 2 188.249.47.106 2 188.48.14.45 2 188.49.58.253 2 188.50.30.140 2 188.50.36.177 2 188.51.43.254 2 188.51.70.1 2 188.52.13.180 2 188.52.94.134 2 196.1.252.226 2 196.217.36.177 2 212.118.140.228 2 212.118.142.77 2 212.119.90.10 2 212.162.130.92 2 213.6.225.237 2 213.6.228.92 2 213.6.237.103 2 213.6.245.124 2 213.6.66.136 2 213.6.69.114 2 213.6.69.76 2 213.6.82.26 2 41.200.187.109 2 41.205.107.174 2 41.209.72.188 2 41.232.227.176 2 41.238.59.29 2 41.250.200.137 2 41.254.0.246 2 62.120.225.3 2 62.120.56.243 2 62.120.93.65 2 77.237.36.246 2 77.30.14.92 2 77.30.57.30 2 77.31.103.136 2 77.31.83.194 2 78.93.121.248 2 78.93.91.163 2 79.172.157.141 2 79.214.181.105 2 80.197.107.206 2 82.114.160.34 2 83.136.61.188 2 84.22.225.219 2 84.22.245.194 2 84.235.73.20 2 84.235.73.21 2 84.235.75.19 2 86.60.86.187 2 86.96.226.90 2 86.96.227.86 2 86.96.229.84 2 86.96.229.90 2 87.109.167.250 2 87.109.240.182 2 87.109.66.70 2 87.109.68.2 2 89.108.18.163 2 89.5.15.183 2 91.142.59.36 2 93.186.20.122 2 94.249.70.79 2 94.96.227.186 2 94.96.242.104 2 94.98.119.33 2 94.98.92.32 2 94.99.99.87 2 95.84.72.50 3 188.132.30.91 3 188.161.228.99 3 212.116.219.112 3 213.6.68.104 3 218.128.117.54 3 41.209.112.78 3 77.31.22.158 3 77.64.120.158 3 77.64.32.13 3 78.110.3.32 3 82.114.160.31 3 82.114.160.36 3 84.235.75.20 3 86.108.50.89 3 86.60.66.28 3 86.60.72.190 3 86.62.31.90 3 86.96.227.91 3 86.96.228.93 3 88.213.26.36 3 88.213.58.3 3 94.96.181.217 3 94.96.23.116 4 188.51.74.239 4 193.188.105.20 4 41.235.235.177 4 41.238.14.8 4 41.249.114.191 4 41.97.32.176 4 72.30.79.92 4 77.30.57.33 4 77.30.58.102 4 79.172.181.100 4 81.192.180.213 4 84.235.75.18 4 87.109.158.159 4 94.97.2.228 4 94.98.117.54 4 94.99.25.138 4 94.99.89.43 5 41.130.9.161 5 41.201.195.150 5 86.60.64.34 6 196.217.97.190 6 82.194.62.200 11 77.30.126.101
i Installed this 2;
Code:cd /usr/local;pwd wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh nano /usr/local/ddos/ddos.conf ##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS=50
Code:root@server [/home/]# /usr/sbin/csf -d 94.249.44.40 csf: DENY_IP_LIMIT (100), the following IP's were removed from /etc/csf/csf.deny: 41.205.107.174 Adding 94.249.44.40 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 94.249.44.40 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 94.249.44.40 root@server [/home/]#
-
08-27-2009, 11:15 AM #2Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
well, it's useless to add IPs to CSF deny list. You can easily add them to iptables directly but if this is a real ddos you will end up adding too many IPs and still not solving your issue. Does that ddos lead to too many apache childs that eat all your memory ?
Also, if you know for sure this is a real DDOS ignore every advice that will follow about mod_dosevasive and other scripts that won't help in that case.
-
08-27-2009, 11:20 AM #3Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Hello Christi4n, i search before i wrote this topic and i found your advice in other topic, what am doing now as you advice before in some old topic for this comment
Code:* install and configure CSF - check the config file carefully * run the netstat command above to see if a few IPs are the main source of attack and block with "csf -d IP" as above * tweak kernel constants such as net.ipv4.tcp_syncookies, net.ipv4.tcp_max_syn_backlog, and net.ipv4.tcp_synack_retries * reduce Apache timeout (/etc/httpd/conf/httpd.conf "Timeout 100") to harden against slowloris
and The server is good it's can handle it i think becouse there is just 1 website, and the server is detecated not vps, and the load there is 2.5%.. so what am looking for is there any method how to complete this step;
Code:tweak kernel constants such as net.ipv4.tcp_syncookies, net.ipv4.tcp_max_syn_backlog, and net.ipv4.tcp_synack_retries
-
08-27-2009, 11:24 AM #4Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
and is there any script could show/explane from were this attack come from ??
i look at the log msg
Code:root@server [/home]# tail -f /var/log/messages Aug 27 11:19:38 server pure-ftpd: (__cpanel__service__auth__ftpd__w_DxE4EHQw3xxxxvuBna2xkZggRXI4weJKuJpsKLM5FHUJBzRow6X@127.0.0.1) [INFO] Logout. Aug 27 11:21:43 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:30:48:da:57:exxx:72:9a:00:08:00 SRC=8x.214.1x3.21 DST=9xx.31.8x.83 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=30916 PROTO=UDP SPT=1203 DPT=17167 LEN=28 Aug 27 11:24:26 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Aug 27 11:24:37 server pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__6Df4C5l0xZNIuCsXNLpAl4ItAswbHdKHhthXCnUD68xi0PVcRwa0th4AnuU_Pmgu is now logged in Aug 27 11:24:38 server pure-ftpd: (__cpanel__service__auth__ftpd__6Df4C5l0xZNIuCsXNLpAl4ItAswbHdKHhthXCnUD68xi0PVcRwa0th4AnuU_Pmgu@127.0.0.1) [INFO] Logout. Aug 27 11:29:03 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ffxxx0 SRC=xxx1.216 DST=255.255.255.255 LEN=29 TOS=0x00 PREC=0x00 TTL=128 ID=10633 PROTO=UDP SPT=1061 DPT=1434 LEN=9 Aug 27 11:29:29 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Aug 27 11:29:40 server pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__9VpllQ8Iy8mT3YF61YMSPz5_4zjIS7p4jsUYgiUaoV5HfEEn5u3qH6mEKEtnZJoD is now logged in Aug 27 11:29:40 server pure-ftpd: (__cpanel__service__auth__ftpd__9VpllQ8Iy8mT3YF61YMSPz5_4zjIS7p4jsUYgiUaoV5HfEEn5u3qH6mEKEtnZJoD@127.0.0.1) [INFO] Logout. Aug 27 11:29:42 server kernel: Firewall: *ICMP_IN Blocked* IN=eth0 OUT= MAC=00:30:48:da:xx:e8:00:xx:80:xx:9a:00:08:00 SRC=116.197.128.58 DST=96.31.85.86 LEN=48 TOS=0x00 PREC=0x00 TTL=43 ID=7708 DF PROTO=ICMP TYPE=8 CODE=0 ID=51810 SEQ=7198
Last edited by boxer; 08-27-2009 at 11:31 AM.
-
08-27-2009, 11:34 AM #5Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
well, that is the thing with those ddos attacks. If I would be able to know the source I would probably reach that guy myself (usually a kid) and.... But you can't really find out who is behind a ddos. What you can do is to mitigate that ddos and the attacker will give up after he will be convinced he can't get you down.
For a ddos there is no script you can use that will solve your problem. Also blocking those IPs in your firewall won;t really help, I suspect that most of those IPs are real visitors since they only have 1 or 2 connections.
Also how big is the number of IPs you see when you run that command (the one with netstat) ?
csf is a perl script that will (sort of) manage iptables and automates a few things. You can increase the IP limit to more than 100 by changing DENY_IP_LIMIT in /etc/csf/csf.conf
If that is a ddos (I don't see anything that looks like a ddos from what you posted) you can use nginx for example as a reverse proxy to lower the number of apache children created since a ddos will only send our syns a.s.o.
Also you should check to see if those are real requests to apache or just syns.
-
08-27-2009, 11:46 AM #6Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
i run this command
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
it's show me that list, so i should ( JUST ) Deny the ip's who have more than 1 + 2 connection to my server ?
-
08-27-2009, 11:47 AM #7Support Facility
- Join Date
- Jun 2009
- Posts
- 2,335
Limit the no of the IPs in the /etc/csf/csf.deny files,
Raise the limit on the number of IP addresses you keep permanently banned. Replace 100 with the number of your choice.
Code:
DENY_IP_LIMIT = "100"
Raise the limit on the number of IP addresses you keep temporarily banned. Replace 100 with your new limit.
Code:
DENY_TEMP_IP_LIMIT = "100"
-
08-27-2009, 11:57 AM #8Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
I did it, what about the /etc/csf.deny ip's ? should i remove them or keep them there ?
-
08-27-2009, 12:04 PM #9Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
-
08-27-2009, 12:05 PM #10Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Code:root@server [/home]# netstat -plan|grep :80 | grep ESTABLISHED | wc -l 26 root@server [/home]# netstat -plan|grep :80 | wc -l 258 root@server [/home]#
-
08-27-2009, 12:19 PM #11Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
well that looks pretty normal, especially for a dedicated server and it should not cause any problems. Do you have load problems on that server or how did you reach the conclusion you have a ddos ?
-
08-27-2009, 12:23 PM #12Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Code:0.25 (2 cpus)
-
08-27-2009, 12:26 PM #13Web Hosting Evangelist
- Join Date
- Jun 2006
- Location
- Cluj Napoca
- Posts
- 469
even if you find the IP location it won't help you at all. Also, you do not have a ddos on that server, everything looks normal. Probably there are some scripts to get an IP location but those scripts will only consume time and they won't work ok under a real ddos and won't help you either.
What is wrong with your server now and why do you think you are under a ddos ?
-
08-27-2009, 12:41 PM #14Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Now everything is normal, but "why" i think it's a ddos becouse the server was working fine, and get down one time, and back, i ping the server ip and it's look like timout sometimes and sometimes getting okay ( replaying ), after i login to the server i run some command to check the ips connected to the server and it's show me all this ip list, that's all, i contact with hivelcity dc to check out the server and monitor it and they well replay back shortly, hope everything going fine, and Thank you alot Cristi4n for your help. i'll be back with the dc monitor soon.
-
08-27-2009, 01:41 PM #15Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
If it doesn't ping there might be another reason. Ping is a ICMP protocole, but those IPs connected to your port 80 are using TCP protocole
Next time, try to find out what they are doing (connection state) :
netstat -nt | grep ':80 ' | awk '{print $6}' | sort | uniq -cNinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
08-27-2009, 01:43 PM #16Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Nice one!
Code:root@server [/home/www/public_html]# netstat -nt | grep ':80 ' | awk '{print $6}' | sort | uniq -c 38 ESTABLISHED 5 FIN_WAIT1 40 FIN_WAIT2 6 SYN_RECV 344 TIME_WAIT root@server [/home/www/public_html]#
-
08-27-2009, 02:11 PM #17Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
I don't see anything wrong with that ! No SYN flood, no HTTP GET DDoS, no slowloris-like attack.
Have a look at your network stats :
# netstat -s
And check your HTTP logs : which page are they requesting and also their referer (someone may have put a link to your website and you're getting famous !)NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
08-27-2009, 02:14 PM #18Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
i'll sent the info resualt pm 2 you khunj, and what about how to get the HTTP Logs ?sorry i didn't know how, or forget it.
-
08-27-2009, 02:32 PM #19Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
Nothing wrong with the output you sent.
Your apache logs can be in /var/log/apache (or /var/log/apache2) on Debian system, or /usr/local/apache/domlogs on Redhat/CentOs etc..NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
08-27-2009, 02:35 PM #20Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
the logs here in redhat directory show's
Code:-rw-r----- 2 root r1z 13264321 Aug 27 14:33 site.com -rw-r--r-- 1 root root 551730 Aug 27 14:33 site.com-bytes_log -rw-r--r-- 1 root root 1 Aug 27 09:11 site.com-bytes_log.offset -rw-r----- 1 root root 658398 Aug 27 14:22 site.com-smtpbytes_log
-
08-27-2009, 02:40 PM #21CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
If you're receiving DDoS attacks and the csf.deny is over 1000 entries it is recycling the old denies which is going to deplete your resources. If you increase the .conf to over 1000 you'll also deplete your resources.
You're going to need a non-software solution.
-
08-27-2009, 02:51 PM #22Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
08-27-2009, 03:45 PM #23Web Hosting Evangelist
- Join Date
- Sep 2008
- Location
- NewYork
- Posts
- 474
Thanks guys,
I sent a msg to you khunj with the link for that file.
Similar Threads
-
DENY_IP_LIMIT csf v4.63
By crazyaboutlinux in forum Hosting Security and TechnologyReplies: 5Last Post: 04-14-2009, 10:46 AM -
Ddos attack
By Nassou in forum Dedicated ServerReplies: 13Last Post: 11-17-2008, 01:48 AM -
DDOS ATTACK
By hellman in forum Hosting Security and TechnologyReplies: 12Last Post: 10-10-2008, 04:24 AM -
DDOS Attack
By BlueCapacity in forum Running a Web Hosting BusinessReplies: 10Last Post: 10-25-2004, 02:07 PM -
What is a DDOS Attack exactly?
By Scout in forum Web HostingReplies: 6Last Post: 11-06-2003, 06:31 PM