Results 1 to 13 of 13
-
01-04-2004, 04:06 PM #1Junior Guru Wannabe
- Join Date
- Feb 2003
- Location
- St. Petersburg, Russia
- Posts
- 70
Dedicated server with DDoS protection... Where?
One of our customers seems have some "friends" who loves to DDoS his site.
He tried few shared hostings and now moved to dedicated server.
We place him in SM and add FloodGuard protection on all his ips.
SM offers FloodGuard as DoS/DDoS protection solution.
But about a week ago server was attacked and FloodGuard seems helpless
I got the folowing message from SM:
Your server has been under a sustained 50+ MB DoS attack and constant exploit attempts from spoofes sources all over the world for over a week.
Yes, FloodGuard is enabled for all 16 IP's.
It is quite understandable that the site would be slow, given the tremendous pounding it is taking from thousands of attacking DoS and http exploit sources.
Your server is not hardened, and judging from the continuous 7 MB of outbound traffic, your server appears to be compromised.
FloodGuard will ONLY block the inbound DoS traffic. FlooodGuard will NOT protect your server from the other malicious traffic that you are seeing on your server, which amounts to about 6.8 - 8.2 MB of malformed web requests, web-stress tools, apache exploit attempts, directory traversal attempts, memory depletion attempts......etc
-
01-04-2004, 04:11 PM #2Web Hosting Master
- Join Date
- Jul 2003
- Location
- Satyr, Chrisalya, Canada
- Posts
- 1,901
It's as simple as they said.
They're protecting you from DoS, but due to your lax security methods, There is other stuff running amok in your server causing the traffic.--
-
01-04-2004, 04:15 PM #3Aspiring Evangelist
- Join Date
- Jan 2003
- Location
- Wisconsin
- Posts
- 367
Should check out www.blccd.com they specialize in this kind of thing, but if your server is compromised like they claim you may want to hire an admin as well as any ammount of filtering is not going to prevent you from being hacked.
-
01-04-2004, 04:21 PM #4Junior Guru Wannabe
- Join Date
- Feb 2003
- Location
- St. Petersburg, Russia
- Posts
- 70
Server do not looks like hacked...
There is now deface, logged users, new users, strange processes and so on. Just a lot of strange traffic to it...
-
01-04-2004, 04:24 PM #5Taking a break from hosting
- Join Date
- Mar 2003
- Location
- Charlotte, NC
- Posts
- 2,761
You may want to check out HTTPD.net/CIT/Foonet.net, or one of their resellers, such as Sharpnet.net.
-Josh
-
01-04-2004, 04:26 PM #6Aspiring Evangelist
- Join Date
- Jan 2003
- Location
- Wisconsin
- Posts
- 367
Foonet would auto-null route the IP which in turn would make his site completely down.
-
01-04-2004, 04:33 PM #7Web Hosting Master
- Join Date
- Apr 2003
- Posts
- 553
Originally posted by sysc
Foonet would auto-null route the IP which in turn would make his site completely down.
-
01-04-2004, 05:24 PM #8Web Hosting Master
- Join Date
- Apr 2003
- Location
- Ottawa
- Posts
- 959
Originally posted by volgafan
Server do not looks like hacked...
There is now deface, logged users, new users, strange processes and so on. Just a lot of strange traffic to it...
Also you may whish to enable syn cookies in your kernel (can help a bit) .
-
01-05-2004, 01:35 AM #9Web Hosting Master
- Join Date
- May 2003
- Posts
- 1,151
Get the Upstream Provider Involved
You should have the dedicated server provider contact the upstream providers at the Data Center. The pulling of the plug fix is not really going to help. As stated the guy has move to different providers. SYN cookies, only if it's a SYN ATTACK.
Also you should provide SM (Dedicated Server Provider) with more info. If they are stating it was hacked and you don't have a back up, then have an experienced security admin have a look at the server. If you have a backup, wipe the server, reinstall with all patches don't start any services, if the attack still continues it's obviously not the server and SM should really see how they can effectively slow the attack down. FloodGuard must not be working. If prevention of DDoS is something they associate with their pricing, then you should get compensated for the lack of service.
If the attack is big enough or you have enough pull with your upstream provider, they will look at traffic patterns and investigate.
Good LuckDatums Internet Solutions, LLC
Systems Engineering & Managed Hosting Services
Complex Hosting Consultants
-
01-05-2004, 01:46 AM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Umm dude, you need to hire a admin to check out ur server. Just because there is no odd things going on dosent mean its not hacked. THey could have used a rootkit to hide all of that. My suggestion to you is to hire a admin..
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
01-05-2004, 01:48 AM #11Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Re: Get the Upstream Provider Involved
Originally posted by datums
You should have the dedicated server provider contact the upstream providers at the Data Center. The pulling of the plug fix is not really going to help. As stated the guy has move to different providers. SYN cookies, only if it's a SYN ATTACK.
Also you should provide SM (Dedicated Server Provider) with more info. If they are stating it was hacked and you don't have a back up, then have an experienced security admin have a look at the server. If you have a backup, wipe the server, reinstall with all patches don't start any services, if the attack still continues it's obviously not the server and SM should really see how they can effectively slow the attack down. FloodGuard must not be working. If prevention of DDoS is something they associate with their pricing, then you should get compensated for the lack of service.
If the attack is big enough or you have enough pull with your upstream provider, they will look at traffic patterns and investigate.
Good Luck
hes getting 7MB of outbound traffic so, either theres a bunch of downloads, or soemthing or the server is attacking another placeSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
01-05-2004, 02:11 AM #12Web Hosting Master
- Join Date
- May 2003
- Posts
- 1,151
The server could be responding to requests = outbound traffic
Example lets say there are dns request from a spoofed host, then dns will respond to the request, that's outbound traffic, without no real hack in place.
Get someone to take a look at the server. If this is too expensive, wipe the server,patch it, stop all services, if you still see incoming traffic, find out what port is it all your addresses, is this attack on a bigger range ?Datums Internet Solutions, LLC
Systems Engineering & Managed Hosting Services
Complex Hosting Consultants
-
01-05-2004, 10:11 AM #13Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
Security has to be done in layers to be most effective.
For Unix-based systems, this should include the following:
* Disable telnet.
* Limit SSH access to specific IP addresses.
* Disable direct root login.
* Remove unnecessary packages / software.
* Harden the kernel against synflood and basic DOS attacks.
* Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
* Ensure /tmp is in its own partition with noexec, nosuid.
* Ensure kernel and software is up to date.
* Remove unnecessary users and groups.
* Install chkrootkit, logwatch, tripwire.
* Install a firewall, and port scan detector.
* For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and other H-Sphere applications.
* Secure DNS Servers
* Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting our servers
It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.
Thank you.