Results 1 to 7 of 7
  1. #1
    Join Date
    Mar 2010
    Posts
    95

    * new destributed ddos problem - suggest solutions

    hi , i recently recieve ddos on one of the customer websites which is a nuke cms and had high traffic.

    here is some of the recent connections :
    Code:
    1672-0	469	0/2/2	W 	0.04	1	0	0.0	0.00	0.00 	201.80.192.198	UserDomain.com	GET /index.php HTTP/1.0
    1673-0	470	0/1/1	W 	0.01	10	0	0.0	0.00	0.00 	118.69.71.191	UserDomain.com	GET /index.php HTTP/1.1
    1674-0	474	1/2/2	K 	0.02	1	16132	0.3	0.00	0.00 	119.38.129.43	UserDomain.com	GET /index.php HTTP/1.1
    1675-0	480	1/2/2	K 	0.09	1	15940	0.3	0.00	0.00 	113.108.177.66	UserDomain.com	GET /index.php HTTP/1.0
    1676-0	489	0/2/2	W 	0.09	1	0	0.0	0.00	0.00 	195.158.101.173	UserDomain.com	GET /index.php HTTP/1.1
    1677-0	494	0/1/1	W 	0.01	10	0	0.0	0.00	0.00 	64.31.58.96	UserDomain.com	GET /index.php HTTP/1.0
    1678-0	497	1/2/2	K 	0.03	1	15876	0.3	0.00	0.00 	164.78.252.57	UserDomain.com	GET /index.php HTTP/1.1
    1679-0	504	0/2/2	W 	0.03	1	0	0.0	0.00	0.00 	109.162.199.76	UserDomain.com	GET /index.php HTTP/1.1
    1680-0	505	0/2/2	W 	0.02	0	0	0.0	0.00	0.00 	89.174.186.3	UserDomain.com	GET /index.php HTTP/1.1
    1681-0	507	1/2/2	K 	0.03	1	15847	0.3	0.00	0.00 	88.202.124.121	UserDomain.com	GET /index.php HTTP/1.1
    1682-0	512	0/2/2	W 	0.04	1	0	0.0	0.00	0.00 	189.17.195.187	UserDomain.com	GET /index.php HTTP/1.0
    1683-0	515	0/1/1	W 	0.01	2	0	0.0	0.00	0.00 	116.52.149.60	UserDomain.com	GET /index.php HTTP/1.1
    1684-0	525	0/2/2	W 	0.03	1	0	0.0	0.00	0.00 	213.251.187.190	UserDomain.com	GET /index.php HTTP/1.0
    1685-0	527	1/2/2	K 	0.02	1	15850	0.3	0.00	0.00 	189.17.195.187	UserDomain.com	GET /index.php HTTP/1.0
    1686-0	532	1/2/2	W 	0.02	2	0	0.3	0.00	0.00 	82.200.191.238	UserDomain.com	GET /index.php HTTP/1.0
    1687-0	538	0/2/2	W 	0.03	1	0	0.0	0.00	0.00 	189.127.190.211	UserDomain.com	GET /index.php HTTP/1.1
    1688-0	544	0/1/1	W 	0.02	9	0	0.0	0.00	0.00 	209.13.158.2	UserDomain.com	GET /index.php HTTP/1.0
    1689-0	548	0/1/1	W 	0.00	9	0	0.0	0.00	0.00 	109.162.199.76	UserDomain.com	GET /index.php HTTP/1.1
    1690-0	555	1/2/2	K 	0.03	1	15763	0.3	0.00	0.00 	58.147.191.150	UserDomain.com	GET /index.php HTTP/1.0
    1691-0	559	0/2/2	W 	0.00	1	0	0.0	0.00	0.00 	80.32.191.8	UserDomain.com	GET /index.php HTTP/1.1
    1692-0	568	0/2/2	R 	0.00	1	15737	0.0	0.00	0.00 	?	?	..reading.. 
    1693-0	570	0/1/1	W 	0.02	9	0	0.0	0.00	0.00 	186.232.195.13	UserDomain.com	GET /index.php HTTP/1.0
    1694-0	575	0/2/2	W 	0.03	1	0	0.0	0.00	0.00 	95.130.56.25	UserDomain.com	GET /index.php HTTP/1.1
    1695-0	582	1/2/2	K 	0.05	1	15730	0.3	0.00	0.00 	200.24.206.107	UserDomain.com	GET /index.php HTTP/1.0
    1696-0	585	0/2/2	R 	0.03	1	15709	0.0	0.00	0.00 	?	?	..reading.. 
    1697-0	592	0/2/2	W 	0.04	0	0	0.0	0.00	0.00 	125.40.181.151	UserDomain.com	GET /index.php HTTP/1.1
    1698-0	599	0/2/2	W 	0.02	1	0	0.0	0.00	0.00 	123.125.156.82	UserDomain.com	GET /index.php HTTP/1.1
    1699-0	607	1/1/1	W 	0.06	14	0	0.3	0.00	0.00 	202.185.33.14	UserDomain.com	GET /index.php HTTP/1.1
    1700-0	1104	0/1/1	W 	0.01	14	0	0.0	0.00	0.00 	77.104.103.242	UserDomain.com	GET /index.php HTTP/1.1
    1701-0	1110	0/0/0	W 	0.00	4	0	0.0	0.00	0.00 	60.28.212.184	UserDomain.com	GET /index.php HTTP/1.0
    i have mod ip limiter , mod security , mod cband status , csf firewall , cpanel , apache os my server .
    the problem is that the attacking ips are not from same range. or the number of connections is not too much so that firewall detects it.

    there are for example 4000 connections from 500+ ips . what do you suggest me to do ? the only thing that i could do is to block that file which ddos is on it ( index.php ) and this way atleast server memory and cpu usage are still normal. only apache connections are used.

    also i have been on lite speed enterprise ( 2 cpu ) till yesterday and there was the same problem with this ddos too.

  2. #2
    Join Date
    Feb 2008
    Location
    Houston, Texas, USA
    Posts
    3,262
    You could minimize the attack a bit by converting index.php to index.html like this (make sure that an index.html file doesn't already exist):

    1) php index.php > index.html
    2) mv index.php index.php.disabled

    This should alleviate the burden off the server for a while.

    Regards
    UNIXy - Fully Managed Servers and Clusters - Established in 2006
    Server Management - Unlimited Servers. Unlimited Requests. One Plan!
    cPanel Varnish Plugin -- Seamless SSL Caching (Let's Encrypt, AutoSSL, etc)
    Slow Site or Server? Unable to handle traffic? Same day performance fix: joe@unixy

  3. #3
    Join Date
    Nov 2010
    Location
    Arizona
    Posts
    298
    Have you tried using ddos deflate?

    http://deflate.medialayer.com/

  4. #4
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,517
    Are the requests coming from a common country i.e Russia etc?

    If so you can use CSF to block the country or use ddoSutil (https://github.com/viGeek/ddoSutil) using the ddoSutil-geoip.sh package you would just run.

    sh ddoSutil-geoip.sh -c Russia -a 1
    -c = country
    -a = action (1 to block, 0 to unblock)

    In that you could also use the harden script which will limit connections per IP and also implement some sysctl hardening.

    As mentioned above, ddos deflate will work as well, it simply grabs the amount of connections per IP address you can then set a threshold to block those over the threshold.

  5. #5
    Join Date
    Mar 2010
    Posts
    95
    Quote Originally Posted by asciiDigital View Post
    Have you tried using ddos deflate?

    http://deflate.medialayer.com/
    i already had ddos deflate installed in my server , but i have set it on 250+ connections to block an ip . but this ddos do not goes further than 10 20 connections per ip and this connection trackings cant detect it.

    and i dont think the ips being from 1 country. i`ll check to see if the ips are from a specific country and i`ll let you know about it.

  6. #6
    Join Date
    Mar 2010
    Posts
    95
    i have blocked these countries ips as this link showed. but there is still atack on my server.

  7. #7
    Join Date
    Mar 2010
    Posts
    95
    i have blocked china and russia ips from this link

    http://www.parkansky.com/china.htm

    but still i have ddos its almost like a great traffic hit

Similar Threads

  1. Suggest A Data Center With DDoS Protection For 1u COLO
    By JonFatino in forum Colocation, Data Centers, IP Space and Networks
    Replies: 10
    Last Post: 02-09-2010, 06:45 PM
  2. DDoS Hosting Solutions - Affordable DDoS Protected Hosting
    By BobS_ in forum Shared Hosting Offers
    Replies: 0
    Last Post: 09-26-2009, 12:03 PM
  3. Shopping Cart Solutions, what would you suggest?
    By KuJaX in forum Ecommerce Hosting & Discussion
    Replies: 3
    Last Post: 12-05-2007, 11:33 AM
  4. Anti-DDoS Hardware Solutions
    By ixforres in forum Colocation, Data Centers, IP Space and Networks
    Replies: 29
    Last Post: 08-22-2005, 02:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •