06-30-2005, 11:58 PM
|
|
Web Hosting Guru
|
|
Join Date: Dec 2004
Posts: 258
|
|
Hi! My DC don't have special equipment for dffence from DDos attaks. But they tell me that can do something with IP, that limitede opportunity for DDos attak. What do you know about that?
Thanks!!!
|
07-01-2005, 12:03 AM
|
|
Carpe Diem
|
|
Join Date: Jul 2003
Location: Connecticut
Posts: 3,038
|
|
Not sure exactly what your asking but generally most DC's will simply block or nullroute the IP or range that is getting attacked..
|
07-01-2005, 01:01 AM
|
|
Web Hosting Guru
|
|
Join Date: Dec 2004
Posts: 258
|
|
Quote:
Originally posted by X-Gaming
Not sure exactly what your asking but generally most DC's will simply block or nullroute the IP or range that is getting attacked..
|
Yes! I think, we talk about same thing ( nullroute the IP ). It's relly help, when DDos attacked coming?
Thanks!
|
07-01-2005, 01:30 AM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 399
|
|
That also means your server gets kicked offline... Nullrouting means blocking all access to that IP in which your case would be your server.
|
07-01-2005, 01:37 AM
|
|
Web Hosting Guru
|
|
Join Date: Dec 2004
Posts: 258
|
|
Quote:
Originally posted by Servax
That also means your server gets kicked offline... Nullrouting means blocking all access to that IP in which your case would be your server.
|
So need doing this only when Ddos attak started???
|
07-01-2005, 01:37 AM
|
|
Carpe Diem
|
|
Join Date: Jul 2003
Location: Connecticut
Posts: 3,038
|
|
Yes that is correct.
Kinda hard to run a server thats unplugged 
|
07-01-2005, 01:41 AM
|
|
Web Hosting Guru
|
|
Join Date: Dec 2004
Posts: 258
|
|
OK. Thanks to all.
How understand, that your server under DDos attak?
|
07-01-2005, 01:44 AM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 399
|
|
Well, if your server load is really high.. (Around load averages of 100.00 + depending on your traffic and what your doing) then yeah your under attack.. It can also appear to apache as lots of threads as "?" in the status window for it.
|
07-01-2005, 02:44 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Jun 2005
Posts: 99
|
|
dropping ICMP packets and rejecting certain known IPs where DDoS is coming from could help the attack reduced. Most DDoS comes with ICMP floods, TCP floods or thousands of HTTP requests. But it is just my 2 cents.
Many evils are utilizing IRC servers to build their botnets. They sent out the programs to the victims via email or web download links. And if the victim has successfully installed the program (drone/zombie), that computer will connect to the certain IRC server with the fixed channel owned by the evil. The master there can control all of the drones in that channel. There's thousands of drones were made using of IE bugs, IIS flaws and DCOM bugs. Effective botnet could easily kick out the server offline within a few hours.
|
07-01-2005, 02:58 AM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 399
|
|
Quote:
Originally posted by erictanjj
dropping ICMP packets and rejecting certain known IPs where DDoS is coming from could help the attack reduced. Most DDoS comes with ICMP floods, TCP floods or thousands of HTTP requests. But it is just my 2 cents.
Many evils are utilizing IRC servers to build their botnets. They sent out the programs to the victims via email or web download links. And if the victim has successfully installed the program (drone/zombie), that computer will connect to the certain IRC server with the fixed channel owned by the evil. The master there can control all of the drones in that channel. There's thousands of drones were made using of IE bugs, IIS flaws and DCOM bugs. Effective botnet could easily kick out the server offline within a few hours.
|
Yeah, using the command:
iptables -I INPUT -s IP -j DROP
That would make your server drop anything coming from that IP, best way in my opinion to stop an offending IP from even touching your server.
|
07-01-2005, 03:12 AM
|
|
Web Hosting Master
|
|
Join Date: Aug 2000
Location: Sheffield, South Yorks
Posts: 3,286
|
|
Of course you do realise what you've suggested would be useless under a DDoS situation? By the time iptables can do anything, the packets have already got to the server, and are going to eat up CPU time by virtue of iptables and overload the box, or already have completely flooded the servers network connection.
|
07-01-2005, 03:15 AM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 399
|
|
You could always shutdown apache and see whats on "time_wait" then ban them. Its always seemed to work for me, even when the server load was around averages of 500.00 (It was a Dual Xeon Box).
|
07-01-2005, 05:35 AM
|
|
Web Hosting Master
|
|
Join Date: Sep 2000
Posts: 1,003
|
|
Quote:
Originally posted by Servax
You could always shutdown apache and see whats on "time_wait" then ban them. Its always seemed to work for me, even when the server load was around averages of 500.00 (It was a Dual Xeon Box).
|
Interesting. Can you tell me what commands I would type to see what's on "time_wait" and identify potential DOSers? I'd like to do more than tail my logs when I suspect a DOS.
|
07-01-2005, 05:44 AM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 399
|
|
I just run:
netstat -an | grep :80
And if I see a lot of connections from an IP (20+) then I copy the IP somewhere in notepad or whatnot. Then after that I just run the command to tell the server to drop the connections coming from the IP(s).
My way must be bitch work, but hey it works.. And if you want.. You could always do a whois record on it and then report it to the ISP..
|
07-01-2005, 05:59 AM
|
|
Web Hosting Master
|
|
Join Date: Sep 2000
Posts: 1,003
|
|
Quote:
Originally posted by Servax
I just run:
netstat -an | grep :80
|
Oh I do that as well.  Thanks,
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
