Results 1 to 9 of 9
  1. #1
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602

    very little how-to for terminate current type of syn-flood attack

    We have syn-flood on three our customer servers and also read many post here about syn-flood attack. After few experiments i post here  simple receipt for terminate current type of syn-flood attack within a few easy steps. This is simple but effective way and it is not require any hardware,software,experience  and etc.

    1) If your apache go down, check what's going up  by command:

    netstat -na | grep :80

    if you see many SYN_RECV connection - congratulation, you have flood attack.

    2) In previous step you may see which ip address is targeted. You will need remove it (see next  step)

    3) Use command

    tcpdump -npi eth0 port domain

    (this is command for linux system, on other system command swiches may be different. read manual)

    and check which of domains on above ip requested maximum frequent. This is may be a hard for novice, but after around 10-15 minutes, you will found targeted domain.

    4) remove this domain from your server and will be best if you change your nameservers for this domain on regisrar control panel to something false.

    5) remove targeted ip and give new ip for other domains which was assigned to this ip early.

    6) Removed ip will continiusly attacked but because you delete it on server and haven't any site on it, you will not have any problem.

    If you have few targeted domain, repeate this procedure again (will be best if you remove any malicious domain simlultaneously on step 4)

    That's all. You will terminate DDOS within a half hour.
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  2. #2
    I get a bunch of requests for nameservers that aren't even on the server when I run tcpdump -npi eth0 port domain
    Is that ok? or could that be the attack?
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  3. #3
    Join Date
    Jul 2004
    Posts
    873
    yes very good idea
    but if that ip address is main shared ip !?
    its easy to remove that ip ,

  4. #4
    Join Date
    Jul 2002
    Posts
    1,443
    Artin,

    For that, never use the main IP as the shared IP!
    Synergy Blue LLC
    SonataWeb.net | SynergyBlue.com
    USA should so something about: http://www.brillig.com/debt_clock/

  5. #5
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    yes, we also see many requests to domains which never not hosted on our servers. it's ok. just select which of domains you have on server from list showed by tcpdump.

    Assigning ALL site to one ip is bad idea. But you may easy change it to other. Ususally this is may take from few minutes to few hours. This is depend from settings for domain zone files.


    And, yes, if you assign sites to one MAIN ip it may request from you some experience and also you should check how your DC route your ip's set. In most cases chaiging server main ip shouldn't create problem and you only should be easy and experienced for doing this (in other case you may lost your network settings and your server will inaccessible from network).
    After changing main ip, removing or adding new ip's houldn't affect to network setup and you may don't worry about this.
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  6. #6
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    Originally posted by SJRHosting.com
    I get a bunch of requests for nameservers that aren't even on the server when I run tcpdump -npi eth0 port domain
    Is that ok? or could that be the attack?
    if you see domains which you haven't on server, check their whois data. may be for this domain indicated yours, or yours reseller nameservers. most likely you will found something. if not, try check above domain by "dig  domain" command.

     
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  7. #7
    Im gettting DDOSed an d has been on and off for the past month, my current server tehchs doesnt seem to be able to figure out what account that is beeing targeted and i either am I.

    Can anyone recomend a good tech that is good at this sort of thing?

  8. #8
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,990
    There is a tip on this, it is only in APF :-)

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  9. #9
    What?.. I have APF installed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •