Results 1 to 7 of 7
-
04-02-2011, 01:25 PM #1Junior Guru Wannabe
- Join Date
- Mar 2010
- Posts
- 95
new destributed ddos problem - suggest solutions
hi , i recently recieve ddos on one of the customer websites which is a nuke cms and had high traffic.
here is some of the recent connections :
Code:1672-0 469 0/2/2 W 0.04 1 0 0.0 0.00 0.00 201.80.192.198 UserDomain.com GET /index.php HTTP/1.0 1673-0 470 0/1/1 W 0.01 10 0 0.0 0.00 0.00 118.69.71.191 UserDomain.com GET /index.php HTTP/1.1 1674-0 474 1/2/2 K 0.02 1 16132 0.3 0.00 0.00 119.38.129.43 UserDomain.com GET /index.php HTTP/1.1 1675-0 480 1/2/2 K 0.09 1 15940 0.3 0.00 0.00 113.108.177.66 UserDomain.com GET /index.php HTTP/1.0 1676-0 489 0/2/2 W 0.09 1 0 0.0 0.00 0.00 195.158.101.173 UserDomain.com GET /index.php HTTP/1.1 1677-0 494 0/1/1 W 0.01 10 0 0.0 0.00 0.00 64.31.58.96 UserDomain.com GET /index.php HTTP/1.0 1678-0 497 1/2/2 K 0.03 1 15876 0.3 0.00 0.00 164.78.252.57 UserDomain.com GET /index.php HTTP/1.1 1679-0 504 0/2/2 W 0.03 1 0 0.0 0.00 0.00 109.162.199.76 UserDomain.com GET /index.php HTTP/1.1 1680-0 505 0/2/2 W 0.02 0 0 0.0 0.00 0.00 89.174.186.3 UserDomain.com GET /index.php HTTP/1.1 1681-0 507 1/2/2 K 0.03 1 15847 0.3 0.00 0.00 88.202.124.121 UserDomain.com GET /index.php HTTP/1.1 1682-0 512 0/2/2 W 0.04 1 0 0.0 0.00 0.00 189.17.195.187 UserDomain.com GET /index.php HTTP/1.0 1683-0 515 0/1/1 W 0.01 2 0 0.0 0.00 0.00 116.52.149.60 UserDomain.com GET /index.php HTTP/1.1 1684-0 525 0/2/2 W 0.03 1 0 0.0 0.00 0.00 213.251.187.190 UserDomain.com GET /index.php HTTP/1.0 1685-0 527 1/2/2 K 0.02 1 15850 0.3 0.00 0.00 189.17.195.187 UserDomain.com GET /index.php HTTP/1.0 1686-0 532 1/2/2 W 0.02 2 0 0.3 0.00 0.00 82.200.191.238 UserDomain.com GET /index.php HTTP/1.0 1687-0 538 0/2/2 W 0.03 1 0 0.0 0.00 0.00 189.127.190.211 UserDomain.com GET /index.php HTTP/1.1 1688-0 544 0/1/1 W 0.02 9 0 0.0 0.00 0.00 209.13.158.2 UserDomain.com GET /index.php HTTP/1.0 1689-0 548 0/1/1 W 0.00 9 0 0.0 0.00 0.00 109.162.199.76 UserDomain.com GET /index.php HTTP/1.1 1690-0 555 1/2/2 K 0.03 1 15763 0.3 0.00 0.00 58.147.191.150 UserDomain.com GET /index.php HTTP/1.0 1691-0 559 0/2/2 W 0.00 1 0 0.0 0.00 0.00 80.32.191.8 UserDomain.com GET /index.php HTTP/1.1 1692-0 568 0/2/2 R 0.00 1 15737 0.0 0.00 0.00 ? ? ..reading.. 1693-0 570 0/1/1 W 0.02 9 0 0.0 0.00 0.00 186.232.195.13 UserDomain.com GET /index.php HTTP/1.0 1694-0 575 0/2/2 W 0.03 1 0 0.0 0.00 0.00 95.130.56.25 UserDomain.com GET /index.php HTTP/1.1 1695-0 582 1/2/2 K 0.05 1 15730 0.3 0.00 0.00 200.24.206.107 UserDomain.com GET /index.php HTTP/1.0 1696-0 585 0/2/2 R 0.03 1 15709 0.0 0.00 0.00 ? ? ..reading.. 1697-0 592 0/2/2 W 0.04 0 0 0.0 0.00 0.00 125.40.181.151 UserDomain.com GET /index.php HTTP/1.1 1698-0 599 0/2/2 W 0.02 1 0 0.0 0.00 0.00 123.125.156.82 UserDomain.com GET /index.php HTTP/1.1 1699-0 607 1/1/1 W 0.06 14 0 0.3 0.00 0.00 202.185.33.14 UserDomain.com GET /index.php HTTP/1.1 1700-0 1104 0/1/1 W 0.01 14 0 0.0 0.00 0.00 77.104.103.242 UserDomain.com GET /index.php HTTP/1.1 1701-0 1110 0/0/0 W 0.00 4 0 0.0 0.00 0.00 60.28.212.184 UserDomain.com GET /index.php HTTP/1.0
the problem is that the attacking ips are not from same range. or the number of connections is not too much so that firewall detects it.
there are for example 4000 connections from 500+ ips . what do you suggest me to do ? the only thing that i could do is to block that file which ddos is on it ( index.php ) and this way atleast server memory and cpu usage are still normal. only apache connections are used.
also i have been on lite speed enterprise ( 2 cpu ) till yesterday and there was the same problem with this ddos too.
-
04-02-2011, 01:49 PM #2Corporate Member
- Join Date
- Feb 2008
- Location
- Houston, Texas, USA
- Posts
- 3,262
You could minimize the attack a bit by converting index.php to index.html like this (make sure that an index.html file doesn't already exist):
1) php index.php > index.html
2) mv index.php index.php.disabled
This should alleviate the burden off the server for a while.
RegardsUNIXy - Fully Managed Servers and Clusters - Established in 2006
Server Management - Unlimited Servers. Unlimited Requests. One Plan!
cPanel Varnish Plugin -- Seamless SSL Caching (Let's Encrypt, AutoSSL, etc)
Slow Site or Server? Unable to handle traffic? Same day performance fix: joe@unixy
-
04-02-2011, 01:54 PM #3Temporarily Suspended
- Join Date
- Nov 2010
- Location
- Arizona
- Posts
- 298
Have you tried using ddos deflate?
http://deflate.medialayer.com/
-
04-02-2011, 02:58 PM #4Russ
- Join Date
- Mar 2002
- Location
- Philadelphia, PA
- Posts
- 2,517
Are the requests coming from a common country i.e Russia etc?
If so you can use CSF to block the country or use ddoSutil (https://github.com/viGeek/ddoSutil) using the ddoSutil-geoip.sh package you would just run.
sh ddoSutil-geoip.sh -c Russia -a 1
-c = country
-a = action (1 to block, 0 to unblock)
In that you could also use the harden script which will limit connections per IP and also implement some sysctl hardening.
As mentioned above, ddos deflate will work as well, it simply grabs the amount of connections per IP address you can then set a threshold to block those over the threshold.
-
04-02-2011, 03:20 PM #5Junior Guru Wannabe
- Join Date
- Mar 2010
- Posts
- 95
i already had ddos deflate installed in my server , but i have set it on 250+ connections to block an ip . but this ddos do not goes further than 10 20 connections per ip and this connection trackings cant detect it.
and i dont think the ips being from 1 country. i`ll check to see if the ips are from a specific country and i`ll let you know about it.
-
04-02-2011, 04:45 PM #6Junior Guru Wannabe
- Join Date
- Mar 2010
- Posts
- 95
i have blocked these countries ips as this link showed. but there is still atack on my server.
-
04-03-2011, 12:46 AM #7Junior Guru Wannabe
- Join Date
- Mar 2010
- Posts
- 95
i have blocked china and russia ips from this link
http://www.parkansky.com/china.htm
but still i have ddos its almost like a great traffic hit
Similar Threads
-
Suggest A Data Center With DDoS Protection For 1u COLO
By JonFatino in forum Colocation, Data Centers, IP Space and NetworksReplies: 10Last Post: 02-09-2010, 06:45 PM -
DDoS Hosting Solutions - Affordable DDoS Protected Hosting
By BobS_ in forum Shared Hosting OffersReplies: 0Last Post: 09-26-2009, 12:03 PM -
Shopping Cart Solutions, what would you suggest?
By KuJaX in forum Ecommerce Hosting & DiscussionReplies: 3Last Post: 12-05-2007, 11:33 AM -
Anti-DDoS Hardware Solutions
By ixforres in forum Colocation, Data Centers, IP Space and NetworksReplies: 29Last Post: 08-22-2005, 02:57 PM