Results 1 to 9 of 9
-
08-03-2005, 07:33 PM #1Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
very little how-to for terminate current type of syn-flood attack
We have syn-flood on three our customer servers and also read many post here about syn-flood attack. After few experiments i post here simple receipt for terminate current type of syn-flood attack within a few easy steps. This is simple but effective way and it is not require any hardware,software,experience and etc.
1) If your apache go down, check what's going up by command:
netstat -na | grep :80
if you see many SYN_RECV connection - congratulation, you have flood attack.
2) In previous step you may see which ip address is targeted. You will need remove it (see next step)
3) Use command
tcpdump -npi eth0 port domain
(this is command for linux system, on other system command swiches may be different. read manual)
and check which of domains on above ip requested maximum frequent. This is may be a hard for novice, but after around 10-15 minutes, you will found targeted domain.
4) remove this domain from your server and will be best if you change your nameservers for this domain on regisrar control panel to something false.
5) remove targeted ip and give new ip for other domains which was assigned to this ip early.
6) Removed ip will continiusly attacked but because you delete it on server and haven't any site on it, you will not have any problem.
If you have few targeted domain, repeate this procedure again (will be best if you remove any malicious domain simlultaneously on step 4)
That's all. You will terminate DDOS within a half hour.TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
08-03-2005, 08:36 PM #2Web Hosting Master
- Join Date
- Feb 2005
- Posts
- 1,358
I get a bunch of requests for nameservers that aren't even on the server when I run tcpdump -npi eth0 port domain
Is that ok? or could that be the attack?Eleven2 Web Hosting - World-Wide Hosting, Done Right!
-
08-04-2005, 03:34 AM #3Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 873
yes very good idea
but if that ip address is main shared ip !?
its easy to remove that ip ,
-
08-04-2005, 04:19 AM #4Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 1,443
Artin,
For that, never use the main IP as the shared IP!Synergy Blue LLC
SonataWeb.net | SynergyBlue.com
USA should so something about: http://www.brillig.com/debt_clock/
-
08-04-2005, 04:44 AM #5Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
yes, we also see many requests to domains which never not hosted on our servers. it's ok. just select which of domains you have on server from list showed by tcpdump.
Assigning ALL site to one ip is bad idea. But you may easy change it to other. Ususally this is may take from few minutes to few hours. This is depend from settings for domain zone files.
And, yes, if you assign sites to one MAIN ip it may request from you some experience and also you should check how your DC route your ip's set. In most cases chaiging server main ip shouldn't create problem and you only should be easy and experienced for doing this (in other case you may lost your network settings and your server will inaccessible from network).
After changing main ip, removing or adding new ip's houldn't affect to network setup and you may don't worry about this.TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
08-04-2005, 04:50 AM #6Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
Originally posted by SJRHosting.com
I get a bunch of requests for nameservers that aren't even on the server when I run tcpdump -npi eth0 port domain
Is that ok? or could that be the attack?
TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
09-04-2005, 03:28 AM #7Newbie
- Join Date
- Jan 2003
- Posts
- 27
Im gettting DDOSed an d has been on and off for the past month, my current server tehchs doesnt seem to be able to figure out what account that is beeing targeted and i either am I.
Can anyone recomend a good tech that is good at this sort of thing?
-
09-04-2005, 06:26 AM #8The Linux Specialist
- Join Date
- Mar 2003
- Location
- /root
- Posts
- 23,990
There is a tip on this, it is only in APF :-)
Specially 4 U
Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx
-
09-04-2005, 07:31 AM #9Newbie
- Join Date
- Jan 2003
- Posts
- 27
What?.. I have APF installed.