Results 1 to 25 of 25
-
01-27-2015, 04:08 PM #1Newbie
- Join Date
- Apr 2013
- Posts
- 14
How to prevent SYN/DDoS attacks ?
Hi,
we are getting a lot of attacks since yesterday and it is generating too much traffic on the server.
We are using 2 CPU LSWS license. Attack is targeting the main page and we are using Wordpress.
Our hosting provider did a workaround and put a little referrer to index.php but this would not be a real solution in long term.
Here is our web site: technopat (dot) net
How can we prevent those attacks ? Can I use LSWS Free Anti DDoS service ?
Thanks.
-
01-27-2015, 04:20 PM #2WHT Addict
- Join Date
- Mar 2013
- Posts
- 110
You can try and use a software firewall if you manage the server CSF is something you could try. Its very limited without hardware.
You can also try to find a ddos protection service but it gets expensive.ByteTime Hosting - Unbeatable Shared cPanel and Exchange Hosting!
99.9% Uptime Guarantee | cPanel/WHM | 24.7 Support | Exchange 2016 Hybrid | EDEX Services
DDoS Protection | Backups | Softaculous | RAID Protected
-
01-27-2015, 04:28 PM #3Newbie
- Join Date
- Apr 2013
- Posts
- 14
I have root access to WHM but is it easy to install CSF ? And does it automatically block attacks ?
Thanks.
//Aslo which DDoS protection servise do you recommend and how much do i need to pay ?
-
01-27-2015, 04:52 PM #4WHT Addict
- Join Date
- Mar 2013
- Posts
- 110
Possibly ask the provider to install CSF, you can set rules to block ip's after so many connections, sshd bruteforce, etc, nice protection tool all around. Only takes 3 commands to install it.
http://download.configserver.com/csf/install.txt
As for DDoS Protection, does your provider have any service of such?
If not your looking at proxy ddos protection services.ByteTime Hosting - Unbeatable Shared cPanel and Exchange Hosting!
99.9% Uptime Guarantee | cPanel/WHM | 24.7 Support | Exchange 2016 Hybrid | EDEX Services
DDoS Protection | Backups | Softaculous | RAID Protected
-
01-27-2015, 05:17 PM #5Newbie
- Join Date
- Apr 2013
- Posts
- 14
I have checked and looks like they have. Why didn't they offered, I don't know. I have asked them. Thanks.
-
01-27-2015, 05:29 PM #6WHT Addict
- Join Date
- Mar 2013
- Posts
- 110
Sounds good. Hope it all works out
ByteTime Hosting - Unbeatable Shared cPanel and Exchange Hosting!
99.9% Uptime Guarantee | cPanel/WHM | 24.7 Support | Exchange 2016 Hybrid | EDEX Services
DDoS Protection | Backups | Softaculous | RAID Protected
-
01-27-2015, 06:39 PM #7Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
If you say the attack is targeting the main page, I assume it's a layer 7 attack (HTTP flood) and not a SYN attack like the title of this topic suggests? CSF will not help with HTTP flood. You can set request limits in LSWS, which you should try first and see if that helps. If it doesn't, the easiest way will be to get remote DDoS protection. I can recommend JavaPipe.com, but there are other providers too who could protect you from attacks of thet kind. There are also scripts like "BARF" that you can try to block the attack - you could basically just block IPs that request your main page too often within say 10 seconds via iptables.
➤ Inbound Marketing & real SEO for web hosting providers
✎ Get in touch with me: co<at>infinitnet.de
-
01-27-2015, 06:43 PM #8The Linux Specialist
- Join Date
- Mar 2003
- Location
- /root
- Posts
- 23,981
Specially 4 U
Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx
-
01-27-2015, 06:47 PM #9Web Hosting Master
- Join Date
- Feb 2007
- Posts
- 3,666
How large are the attacks?
ReliableSite.Net LLC - Offering Enterprise Grade Dedicated Servers Since 2006 [New York City metro / Miami, FL / Los Angeles, CA]
Customers are our #1 priority - Read Our Reviews
Need epic pricing on 1G and 10G unmetered? We have amazing deals and a 10 minute setup time! Click here to view incredible deals.
-
01-27-2015, 07:42 PM #10WHT Addict
- Join Date
- Mar 2013
- Posts
- 110
I understand it doesnt block real DDoS attacks. Was just making a recommendation to him to prevent other methods.
He did say his provider has protection of their own, hopefully that works for him.ByteTime Hosting - Unbeatable Shared cPanel and Exchange Hosting!
99.9% Uptime Guarantee | cPanel/WHM | 24.7 Support | Exchange 2016 Hybrid | EDEX Services
DDoS Protection | Backups | Softaculous | RAID Protected
-
01-28-2015, 04:11 AM #11Newbie
- Join Date
- Dec 2014
- Posts
- 20
Hi,
Setup a firewall which does Ingress and Egress Filtering at Gateway
cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -zxvf csf.tgz
cd csf
./install.sh
Step 3:
Edit the configuration with your favorite editor, in this case I used vi:
vi /etc/csf/csf.conf
Edit the value from:
TESTING = "1"
to => TESTING = "0"
Step 4: Restart the service:
/etc/init.d/csf restart
vi /etc/csf/csf.conf
Enable connection tracking.
CT_LIMIT is max number of connection allowed from one IP, you can set this value as per your server requirement.
CT_LIMIT =100
Set connection tracking interval.
CT_INTERVAL =30
If you want to get possible ddos attack email then enable it.
CT_EMAIL_ALERT =1
If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = 1
If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = 1800
If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma separated list. E.g. “80,443”
CT_PORTS = 80,23,443
These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.
Step 2: Enable distributed attacks
LF_DISTATTACK = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK
LF_DISTATTACK_UNIQ = 2
Step 3: Enable distributed FTP attacks
LF_DISTFTP = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = 3
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTFTP_PERM =1
Step 4: Enable distributed SMTP attacks.
LF_DISTSMTP =1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ =4
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTSMTP_PERM =1
This is the interval during which a distributed FTP or SMTP attack is
measured
LF_DIST_INTERVAL = 300
Install IDS on your gateway/hosts to alert you when someone tries to sniff In.
Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz
(b) Untar it
tar -zxvf aide-0.7.tar.gz
(c) cd aide-0.7
(d) Then execute
./configure -with-gnu-regexp
(e) Final steps to install make;make install
Here is a sample short aide.conf:
Rule = p+i+u+g+n+s+md5
/etc p+i+u+g
/sbin Rule
/usr/local/apache/conf Rule
/var Rule
!/var/spool/.*
!/var/log/.*
After configuring AIDE should be initiated with all these rules.
For that execute aide -init
Implement Sysctl protection against DDOS
bash# vi /etc/sysctl.conf
add the below code:
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and restart network
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Install Mod_dosevasive to your apache.
bash# wget http://www.nuclearelephant.com/proje..._1.10.1.tar.gz
bash# tar -zxvf mod_evasive_1.10.1.tar.gz
bash# cd mod_evasive_1.10.1
bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c
Dont get scared by the variable ``$APACHE_ROOT'' . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
bash# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf
<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
bash# /usr/loca/apache/bin/apachectl restart
Install Mod_security
bash# http://www.modsecurity.org/download/...e-1.9.2.tar.gz
bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz
bash# cd modsecurity-apache-1.9.2
bash# /usr/local/apache/bin/apxs -cia mod_security.c
Create a file named mod_security.conf under the folder /usr/local/apache/conf
bash# vi /usr/local/apache/conf/mod_security.conf
Create the rule with reference to the link http://www.modsecurity.org/documenta...-examples.html
and add it in the mod_security.conf file.
Add the location of mod_security.conf to httpd.conf
bash# vi /usr/local/apache/conf/httpd.conf
Add the string below Include /usr/local/apache/conf/mod_security.conf
bash# /usr/local/apache/bin/apachectl stop
bash# /usr/local/apache/bin/apachectl start
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
Script to check No of connected ip’s.
sh /usr/local/ddos/ddos.sh
How To Edit Configuration File:-
vi /usr/local/ddos/ddos.conf
Edit the paths according to your system:
PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list”
CRON=”/etc/cron.d/ddos.cron”
APF=”/etc/apf/apf”
IPT=”/sbin/iptables”
Customize the options and its values as you want:
FREQ=1
# Frequency in minutes in which the script will be executed
NO_OF_CONNECTIONS=150
# Number of connections received to block an IP address of an alleged attacker
APF_BAN=1
# 1 means that DDoS Deflate will use APF to block, 0 use directly Iptables
BAN_PERIOD=600
# Time (in seconds) to block an attacker.
EMAIL_TO=”root”
# Address to send an email when someone is banned
KILL=1
# With a 0 value, the attackers won't be banned, 1 is selected by default
Restart DDos Deflate
sh /usr/local/ddos/ddos.sh -c
Regards
-
01-28-2015, 05:18 AM #12Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 778
If these are really layer7 attacks finding ways to ensure those are not botnets, hacked servers will require a firewall that can detect such characteristics.
This is when a real ddos mitigation expert can assist you. Installing csf, enabling cookies can assist to some aspect but at the end of the day the attackers ultimate goal is to ensure you exhaust all your resoruces.Psychz Networks - Dedicated Servers, Co-location | PhotonVPS - SSD Cloud | YardVPS - Storage VPS
True Layer 7 DDoS Mitigation | BGP Optimized by Noction Intelligent Routing | Asia-Pacific Low Latency Routes
Los Angeles, CA | Dallas, TX | Ashburn, VA | London, UK | Amsterdam, NL | Johannesburg, ZA
-
01-28-2015, 05:24 AM #13WHT Addict
- Join Date
- May 2014
- Posts
- 103
Setup some firewall, get outsource DDos protection but it will be expansive abit. Why not get a DDos Protected Server?
-
01-28-2015, 05:47 AM #14Newbie
- Join Date
- Apr 2013
- Posts
- 14
We are actually behind a Firewall and we are pating for it. But my hosting provider told me thta it is not DDoS attack.
When the attack comes, the load goes up to 169 and multiple instances of the main page is called. We have solved the problem with a very simple referrer script for now:
if(!strpos($_SERVER['HTTP_REFERER'], 'technopat.net'))
{
exit('<a href="">Giris icin tiklayiniz</a>');
}
-
01-28-2015, 05:59 AM #15Junior Guru
- Join Date
- Mar 2011
- Posts
- 177
I'm not sure if this tool is useful against GET and SYN attacks, but it shouldn't hurt to test it out.
-
01-28-2015, 06:05 AM #16Newbie
- Join Date
- Apr 2013
- Posts
- 14
I think yes. The reason of the title is I have typed what my hosting provider told me. But hey, if they knew the attack type better, they would have solved it by now.
What I have seen in the WHM was that hundereds of main page instances were trying to be served at the same time and this was generating too much CPU load. It was about 169 load.
-
01-28-2015, 06:06 AM #17Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 778
These are Layer7 attacks where deep inspection is require. There are ways to defend against Layer7 attacks such as script related.
A DDOS provider who can mitigate at layer7 can analyze the GETS and ensure those are legitamte GETs
Deflate, CSF, firewalls will not have the ability to distinguish such type of attacks.Psychz Networks - Dedicated Servers, Co-location | PhotonVPS - SSD Cloud | YardVPS - Storage VPS
True Layer 7 DDoS Mitigation | BGP Optimized by Noction Intelligent Routing | Asia-Pacific Low Latency Routes
Los Angeles, CA | Dallas, TX | Ashburn, VA | London, UK | Amsterdam, NL | Johannesburg, ZA
-
01-28-2015, 06:25 AM #18Newbie
- Join Date
- Apr 2013
- Posts
- 14
OK, after reading some articles about types of attacks I am sure that the attack was HTTP Layer 7 type as it was beyond TCP level and calling web pages, especially the main page all the time.
Now, I need advices. I was thinking of buying Cloudflare pro for the beginining but I really don't think it is enough. Paying $200 for the Business Plan is something that I am not willing to do as it is like hiring a second server. Nearly the same price.
First of all, I want to use a professional service to investigate the problem. I saw that some of you guys already provide that. I want to buy this service for one time. And after the investigation, If needed, I will buy a monthly service as our web site is growing every single day.
Thank you for your help.
-
01-28-2015, 06:28 AM #19Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 778
You'll need to do your research on what providers can do Layer7 alot can only do layer3/4 but in your case deep packet inspection is require which is much more difficult for alot of ddos mitigation services out there.
Some may already have dedicated servers you can rent and it comes with the mitigation , or you will need to utilize some kind of remote GRE.
Cloudflare does not do Layer7 they will mitigate at layer3/4 protocols in DDOS. I believe you have to go all the way to Enterprise which is around 4000 USD for the layer7 protection.Psychz Networks - Dedicated Servers, Co-location | PhotonVPS - SSD Cloud | YardVPS - Storage VPS
True Layer 7 DDoS Mitigation | BGP Optimized by Noction Intelligent Routing | Asia-Pacific Low Latency Routes
Los Angeles, CA | Dallas, TX | Ashburn, VA | London, UK | Amsterdam, NL | Johannesburg, ZA
-
01-28-2015, 07:28 AM #20Newbie
- Join Date
- Apr 2013
- Posts
- 14
Enterprise is too much for me at the moment.
-
01-28-2015, 09:03 AM #21Web Hosting Master
- Join Date
- Apr 2011
- Location
- Cybertron
- Posts
- 10,484
-
01-28-2015, 09:11 AM #22Newbie
- Join Date
- Apr 2013
- Posts
- 14
-
01-31-2015, 12:41 PM #23Newbie
- Join Date
- Apr 2013
- Posts
- 14
I have bought Sucuri CloudProxy Firewall and started using it. I think it should take some time for all the DNS servers to get updated right ?
Thanks.
-
01-31-2015, 01:26 PM #24Web Hosting Master
- Join Date
- May 2006
- Posts
- 873
You need also to filter all the traffic to the real IP while listening only to the packets coming from the proxy... as attackers already know your real IP address...
-
01-31-2015, 01:31 PM #25Newbie
- Join Date
- Apr 2013
- Posts
- 14
Similar Threads
-
Help me to prevent DDOS Attacks
By anromenez in forum Hosting Security and TechnologyReplies: 10Last Post: 08-27-2014, 11:34 PM -
Say godbye to DDOS and SYN flood attacks!
By ibelledthecat in forum Hosting Security and TechnologyReplies: 8Last Post: 05-21-2010, 01:47 PM -
Help - How to prevent DDoS attacks?
By Phatmat in forum Hosting Security and TechnologyReplies: 21Last Post: 07-26-2009, 06:15 PM -
Web DDos and syn attacks
By ypigfly in forum New MembersReplies: 2Last Post: 05-04-2008, 04:25 PM -
SYN ddos attacks
By intercase in forum Hosting Security and TechnologyReplies: 4Last Post: 10-22-2003, 08:57 AM