Results 1 to 22 of 22

Thread: PHP DDoS

  1. #1

    Unhappy PHP DDoS

    Hi,
    Lately I have been recieving DDoS attacks that are HTTP flooding my forum, memory usage goes up by 600MB, CPU usage goes to 100%, site stops loading (500 internal server error or blank page) and there are a LOT of php-fpm processes.
    setup: nginx + php-fpm (latest versions)
    This is my php-fpm config:
    Code:
    ; Start a new pool named 'www'.
    [www]
    
    ; The address on which to accept FastCGI requests.
    ; Valid syntaxes are:
    ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
    ;                            a specific port;
    ;   'port'                 - to listen on a TCP socket to all addresses on a
    ;                            specific port;
    ;   '/path/to/unix/socket' - to listen on a unix socket.
    ; Note: This value is mandatory.
    listen = 127.0.0.1:9000
    
    ; Set listen(2) backlog. A value of '-1' means unlimited.
    ; Default Value: -1
    ;listen.backlog = -1
     
    ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
    ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
    ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
    ; must be separated by a comma. If this value is left blank, connections will be
    ; accepted from any ip address.
    ; Default Value: any
    listen.allowed_clients = 127.0.0.1
    
    ; Set permissions for unix socket, if one is used. In Linux, read/write
    ; permissions must be set in order to allow connections from a web server. Many
    ; BSD-derived systems allow connections regardless of permissions. 
    ; Default Values: user and group are set as the running user
    ;                 mode is set to 0666
    ;listen.owner = nobody
    ;listen.group = nobody
    ;listen.mode = 0666
    
    ; Unix user/group of processes
    ; Note: The user is mandatory. If the group is not set, the default user's group
    ;       will be used.
    ; RPM: apache Choosed to be able to access some dir as httpd
    user = php
    ; RPM: Keep a group allowed to write in log dir.
    group = php
    
    ; Choose how the process manager will control the number of child processes.
    ; Possible Values:
    ;   static  - a fixed number (pm.max_children) of child processes;
    ;   dynamic - the number of child processes are set dynamically based on the
    ;             following directives:
    ;             pm.max_children      - the maximum number of children that can
    ;                                    be alive at the same time.
    ;             pm.start_servers     - the number of children created on startup.
    ;             pm.min_spare_servers - the minimum number of children in 'idle'
    ;                                    state (waiting to process). If the number
    ;                                    of 'idle' processes is less than this
    ;                                    number then some children will be created.
    ;             pm.max_spare_servers - the maximum number of children in 'idle'
    ;                                    state (waiting to process). If the number
    ;                                    of 'idle' processes is greater than this
    ;                                    number then some children will be killed.
    ; Note: This value is mandatory.
    pm = dynamic
    
    ; The number of child processes to be created when pm is set to 'static' and the
    ; maximum number of child processes to be created when pm is set to 'dynamic'.
    ; This value sets the limit on the number of simultaneous requests that will be
    ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
    ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
    ; CGI.
    ; Note: Used when pm is set to either 'static' or 'dynamic'
    ; Note: This value is mandatory.
    pm.max_children = 50
    
    ; The number of child processes created on startup.
    ; Note: Used only when pm is set to 'dynamic'
    ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
    pm.start_servers = 2
    
    ; The desired minimum number of idle server processes.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    pm.min_spare_servers = 2
    
    ; The desired maximum number of idle server processes.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    pm.max_spare_servers = 5
     
    ; The number of requests each child process should execute before respawning.
    ; This can be useful to work around memory leaks in 3rd party libraries. For
    ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
    ; Default Value: 0
    pm.max_requests = 500
    
    ; The URI to view the FPM status page. If this value is not set, no URI will be
    ; recognized as a status page. By default, the status page shows the following
    ; information:
    ;   accepted conn    - the number of request accepted by the pool;
    ;   pool             - the name of the pool;
    ;   process manager  - static or dynamic;
    ;   idle processes   - the number of idle processes;
    ;   active processes - the number of active processes;
    ;   total processes  - the number of idle + active processes.
    ; The values of 'idle processes', 'active processes' and 'total processes' are
    ; updated each second. The value of 'accepted conn' is updated in real time.
    ; Example output:
    ;   accepted conn:   12073
    ;   pool:             www
    ;   process manager:  static
    ;   idle processes:   35
    ;   active processes: 65
    ;   total processes:  100
    ; By default the status page output is formatted as text/plain. Passing either
    ; 'html' or 'json' as a query string will return the corresponding output
    ; syntax. Example:
    ;   http://www.foo.bar/status
    ;   http://www.foo.bar/status?json
    ;   http://www.foo.bar/status?html
    ; Note: The value must start with a leading slash (/). The value can be
    ;       anything, but it may not be a good idea to use the .php extension or it
    ;       may conflict with a real PHP file.
    ; Default Value: not set 
    ;pm.status_path = /status
     
    ; The ping URI to call the monitoring page of FPM. If this value is not set, no
    ; URI will be recognized as a ping page. This could be used to test from outside
    ; that FPM is alive and responding, or to
    ; - create a graph of FPM availability (rrd or such);
    ; - remove a server from a group if it is not responding (load balancing);
    ; - trigger alerts for the operating team (24/7).
    ; Note: The value must start with a leading slash (/). The value can be
    ;       anything, but it may not be a good idea to use the .php extension or it
    ;       may conflict with a real PHP file.
    ; Default Value: not set
    ;ping.path = /ping
    
    ; This directive may be used to customize the response of a ping request. The
    ; response is formatted as text/plain with a 200 response code.
    ; Default Value: pong
    ;ping.response = pong
     
    ; The timeout for serving a single request after which the worker process will
    ; be killed. This option should be used when the 'max_execution_time' ini option
    ; does not stop script execution for some reason. A value of '0' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_terminate_timeout = 0
     
    ; The timeout for serving a single request after which a PHP backtrace will be
    ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_slowlog_timeout = 0
     
    ; The log file for slow requests
    ; Default Value: /var/log/php-fpm.log.slow
    ;slowlog = /var/log/php-fpm.log.slow
     
    ; Set open file descriptor rlimit.
    ; Default Value: system defined value
    ;rlimit_files = 1024
     
    ; Set max core size rlimit.
    ; Possible Values: 'unlimited' or an integer greater or equal to 0
    ; Default Value: system defined value
    ;rlimit_core = 0
     
    ; Chroot to this directory at the start. This value must be defined as an
    ; absolute path. When this value is not set, chroot is not used.
    ; Note: chrooting is a great security feature and should be used whenever 
    ;       possible. However, all PHP paths will be relative to the chroot
    ;       (error_log, sessions.save_path, ...).
    ; Default Value: not set
    ;chroot = 
     
    ; Chdir to this directory at the start. This value must be an absolute path.
    ; Default Value: current directory or / when chroot
    ;chdir = /var/www
     
    ; Redirect worker stdout and stderr into main error log. If not set, stdout and
    ; stderr will be redirected to /dev/null according to FastCGI specs.
    ; Default Value: no
    ;catch_workers_output = yes
     
    ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
    ; the current environment.
    ; Default Value: clean env
    ;env[HOSTNAME] = $HOSTNAME
    ;env[PATH] = /usr/local/bin:/usr/bin:/bin
    ;env[TMP] = /tmp
    ;env[TMPDIR] = /tmp
    ;env[TEMP] = /tmp
    
    ; Additional php.ini defines, specific to this pool of workers. These settings
    ; overwrite the values previously defined in the php.ini. The directives are the
    ; same as the PHP SAPI:
    ;   php_value/php_flag             - you can set classic ini defines which can
    ;                                    be overwritten from PHP call 'ini_set'. 
    ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
    ;                                     PHP call 'ini_set'
    ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
    
    ; Defining 'extension' will load the corresponding shared extension from
    ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
    ; overwrite previously defined php.ini values, but will append the new value
    ; instead.
    
    ; Default Value: nothing is defined by default except the values in php.ini and
    ;                specified at startup with the -d argument
    ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
    ;php_flag[display_errors] = off
    php_admin_value[error_log] = /var/log/php-fpm/www-error.log
    php_admin_flag[log_errors] = on
    ;php_admin_value[memory_limit] = 32M
    Help is appreciated, thank you

  2. #2
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    Focus on stopping the traffic from reaching php. No amount of config tweaking is going to mitigate an attack of any sufficient size.

  3. #3
    Quote Originally Posted by IRCCo Jeff View Post
    Focus on stopping the traffic from reaching php. No amount of config tweaking is going to mitigate an attack of any sufficient size.
    The attack is no more than 10-12Mbps, and only from around ~100 IPs at the same time but they are constantly changing.

  4. #4
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    You could try using csf . Sometimes this type of self help works, other times even small attacks require professional mitigation.

  5. #5
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Without something in front of the server/webserver software to mitigate the attack there isn't going to be much you can do beyond perhaps replacing the dynamic content with static content temporarily until the attack subsides. If they're hitting something like index.php you can do a mod_rewrite to return an index.html instead of the .php which will be much less resource intensive.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  6. #6
    Join Date
    Aug 2008
    Posts
    536
    Install csf and for apache mod anti-loris attack, depending on the attack this can solve your problem.
    Regards,
    Yourwebhoster.eu [NL] based hosting
    Shared | Reseller | KVM VPS | Reseller VPS

  7. #7
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by yourwebhostereu View Post
    Install csf and for apache mod anti-loris attack, depending on the attack this can solve your problem.
    The loris attack just leaves Apache connections hanging open (doesn't actually request pages) last time I took a look so I wouldn't say that patch would apply here, although it's not a bad idea in general.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  8. #8
    Join Date
    Aug 2008
    Posts
    536
    Quote Originally Posted by MikeDVB View Post
    The loris attack just leaves Apache connections hanging open (doesn't actually request pages) last time I took a look so I wouldn't say that patch would apply here, although it's not a bad idea in general.
    That's correct but I see now that the TS is using nginx, I don't know if nginx has the security by itself or if there is a patch for it.
    Regards,
    Yourwebhoster.eu [NL] based hosting
    Shared | Reseller | KVM VPS | Reseller VPS

  9. #9
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by yourwebhostereu View Post
    That's correct but I see now that the TS is using nginx, I don't know if nginx has the security by itself or if there is a patch for it.
    Yeah, I was speaking generally about the patch itself.

    Beyond that, nginx is not vulnerable to the loris attack.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  10. #10
    Just a note: I am using DDoS Deflator although it isn't helping.

  11. #11
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by misspink View Post
    Just a note: I am using DDoS Deflator although it isn't helping.
    Software solutions such as those tend to not be really effective in my experiences. I've seen things like that and CSF actually cause more issues than they fixed under a decent DDoS. 10~12 MBPS may not sound like a lot, but when it's nothing but 1kb requests... That is actually quite a large number of requests/second.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  12. #12
    Join Date
    Jun 2008
    Location
    Manchester, UK
    Posts
    207
    If you were to switch over to litespeed, it should help mitigate any attacks. Depending how popular the site is you could possibly temp take it offline or maybe look into the cloud?

    Hope this helps!!

  13. #13
    Try to use CSF with "port flood control option" or IPTABLES to limit connections per second

    /sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
    /sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 100 --hitcount 60 -j DROP

    this will help you i got same attack from few days .

  14. #14
    Join Date
    Jun 2006
    Location
    NYC / Memphis, TN
    Posts
    1,454
    CSF is an iptables solution.

    Any thing IPTables with an amount of traffic (number of IP's wise) that are bringing down the web server, it's likely iptables will not handle it either.

    The linux kernel with iptables simply aren't resilient when it comes to handling any sort of attack traffic once you surpass a thousand or so IP's. Even a hundred requests/second different IP's, if it's a large amount of IP's, iptables will cause the box to get unstable.

    You can try the listed rules above but you're still looking at a 'dumb' rule with no real validation of an attack. It simply blocks based on requests and if KeepAlive is off, that number will be hit with a site having a few images on it.

    I'd suggest switching to BSD or get a solution with protection. The other option is simply try to withstand the attack without doing the blocking. You're using nginx? Properly configured nginx (even on linux) will handle upwards of 1500 requests/sec with the correct sysctl config.
    PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
    PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
    Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915

  15. #15
    Join Date
    Nov 2010
    Location
    Casablanca
    Posts
    153
    You should think about a caching solution that will generate html pagesp (instead of executing php files) each time there is a modification.

  16. #16
    Join Date
    Dec 2010
    Posts
    166
    Quote Originally Posted by L1nuxGeek View Post
    Try to use CSF with "port flood control option" or IPTABLES to limit connections per second

    /sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
    /sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 100 --hitcount 60 -j DROP

    this will help you i got same attack from few days .
    Yea dropping their connection to the server before they can do http flodding sounds like a good idea

    Hopefully they run out of ips asap.

  17. #17
    Code:
    [root@web2 ~]# iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
    [root@web2 ~]# iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 100 --hitcount 60 -j DROP
    iptables: Unknown error 18446744073709551615
    [root@web2 ~]#
    Any ideas?

  18. #18
    Join Date
    Dec 2010
    Posts
    166
    does

    iptables -L

    work?

  19. #19
    Code:
    [root@web2 /]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain RH-Firewall-1-INPUT (0 references)
    target     prot opt source               destination
    [root@web2 /]#

  20. #20
    Join Date
    Dec 2010
    Posts
    166

  21. #21
    Quote Originally Posted by misspink View Post
    Code:
    [root@web2 ~]# iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
    [root@web2 ~]# iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 100 --hitcount 60 -j DROP
    iptables: Unknown error 18446744073709551615
    [root@web2 ~]#
    Any ideas?
    you need to increase the ip_pkt_list_tot value .

    # rmmod ipt_recent
    # modprobe ipt_recent ip_pkt_list_tot=75

  22. #22
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by ServerOrigin View Post
    You're using nginx? Properly configured nginx (even on linux) will handle upwards of 1500 requests/sec with the correct sysctl config.
    Chances are, it's PHP that's having issues keeping up and not nginx itself.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

Similar Threads

  1. Replies: 4
    Last Post: 08-12-2009, 03:16 AM
  2. Replies: 0
    Last Post: 11-21-2008, 09:20 AM
  3. Really Odd DDoS or something -> No log entries, over 2200+ PHP processes
    By NuCode in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-09-2008, 07:17 PM
  4. Anti-DDOS php scripts?
    By laydee in forum Web Design and Content
    Replies: 6
    Last Post: 09-16-2007, 11:59 PM
  5. Replies: 5
    Last Post: 10-31-2005, 02:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •