Results 1 to 12 of 12
Thread: UDP DDoS
Hybrid View
-
06-05-2009, 11:18 PM #1New Member
- Join Date
- Jun 2009
- Posts
- 3
UDP DDoS
Hi there,
I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.
Does anybody have any suggestions?
Thanks in advance.
-
06-05-2009, 11:54 PM #2Web Hosting Master
- Join Date
- Apr 2003
- Location
- San Jose, CA.
- Posts
- 1,624
Daved @ Lightwave Networking, LLC.
AS1426 https:/www.lightwave.net
Primary Bandwidth: EGIHosting (NLayer, NTT, HE, Cogent)
Xen PV VPS Hosting
-
06-05-2009, 11:55 PM #3New Member
- Join Date
- Jun 2009
- Posts
- 3
It doesn't. It's just UDP traffic coming in aimed at port 80.
-
06-06-2009, 02:27 AM #4Web Hosting Master
- Join Date
- Apr 2003
- Location
- San Jose, CA.
- Posts
- 1,624
Do you understand why little of what you said makes any sense?
-
06-06-2009, 03:08 AM #5New Member
- Join Date
- Jun 2009
- Posts
- 3
No, I don't see anything wrong with somebody sending a UDP packet destined for port 80 on my server. Sure Apache isn't listening for UDP packets as http is TCP based only, but the packets I am getting are UDP and they are trying to hit port 80.
What's so ridiculous about that?
-
06-06-2009, 01:03 PM #6Web Hosting Master
- Join Date
- Apr 2003
- Location
- San Jose, CA.
- Posts
- 1,624
Ok... So, someone is sending you UDP packets to port80, and you think that's slowing down Apache, specifically on port 80.
Apache isn't processing UDP data, so saying Apache is running slow on port 80 but fine on port 443 doesn't make sense or shows some unrelated problem.
You've added a rule to your firewall saying drop all UDP data for port 80. What is it going to do with that data without that rule? Drop it. (Blocking it after it's already reached your box is pointless).
-
06-06-2009, 03:42 AM #7Disabled
- Join Date
- Mar 2009
- Location
- Israel
- Posts
- 1,212
what kind of firewall are you useing?, do you have acccess to your router?
is the attack directed to your main IP address?
or is it an IP alias ?
-
06-06-2009, 03:54 AM #8Web Hosting Master
- Join Date
- Oct 2002
- Location
- Vancouver, B.C.
- Posts
- 2,699
ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami
-
06-06-2009, 04:07 AM #9******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
06-06-2009, 04:31 AM #10Web Hosting Guru
- Join Date
- Feb 2008
- Location
- California
- Posts
- 315
Does your provider offer any sort of DDoS mitigation at the network level? If so, ask them to enable it.
Short of that, as hhw suggested, as your provider to block UDP (or specifically UDP port 80 if that's all that's hitting you) traffic via an ACL. Keep in mind that some services typically run over UDP (such as name service), so if you require those services to be running make sure your provider carves out exceptions to the ACL.Take 2 Hosting, Inc. - Hosting Done Right
Fully automated setup - new servers in as little as 10 minutes
http://www.take2hosting.com/
-
06-06-2009, 09:31 AM #11CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
If you're not a DDoS risk any really only receive an occasional attack you might just look for a provider that has a managed firewall appliance (eg. Netscreen) so you can set your own rules on the network and block the traffic you don't need.
-
06-06-2009, 04:24 PM #12Web Hosting Guru
- Join Date
- May 2008
- Posts
- 340
Can you paste the output of the following commands so that we can see the requests coming in on port 80 ?
netstat -plant | grep httpdtcpdump -vv -i eth0 udp