Results 1 to 10 of 10
  1. #1
    Join Date
    Jan 2008
    Posts
    77

    I'm getting DDoS'd, need serious help

    Hello, I'm new here

    I'm looking for a piece of advice what I can do because finally after 20+ hours I give up.

    My resources are constantly at 20%CPU and 70-99% Resources(RAM)

    I'm using this command to see which IP has many connections

    netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5


    Ok here a "few" :
    16 117.9.163.164
    16 222.89.61.14
    17 118.26.182.153
    30 220.136.69.91
    37 222.89.217.240

    ALL CHINESE IP's

    So you might think simply ban them.. I did ! But I can ban IP's for 30+ min straight and it won't end.


    Ok here are the steps I've done:
    Installed
    AFP (Great Firewall using iptables) + AntiDos active
    DDoS Deflate (To ban people with more than 10 connections)
    Mod_evasive (stopping too many page requests)
    Mod_GEOIP (to ban chinese IP's)
    Mod_security (using GotRoot Rules)
    Mod_limitipconnect (Limiting IP's to one connection/user)



    Ok one example I want to ban IP's with more than 10 connections (all chinese) with DDOS Deflate:

    I'll use /path/to/ddos/ddos.sh -k 10

    Here's the log
    apf(17701): (trust) added deny all to/from 59.61.27.57
    apf(17841): (trust) added deny all to/from 219.137.113.202
    apf(18140): (trust) added deny all to/from 61.57.106.117
    apf(18266): (trust) added deny all to/from 218.79.153.124
    apf(18396): (trust) added deny all to/from 58.247.247.78
    iptables: Resource temporarily unavailable
    apf(19520): (trust) added deny all to/from 125.34.16.100
    iptables: Resource temporarily unavailable
    apf(19693): (trust) added deny all to/from 61.64.19.42
    apf(19795): (trust) added deny all to/from 60.9.18.51
    apf(19908): (trust) added deny all to/from 58.40.104.243
    iptables: Resource temporarily unavailable
    apf(20078): (trust) added deny all to/from 221.235.63.155
    apf(20193): (trust) added deny all to/from 221.197.202.233
    apf(20303): (trust) added deny all to/from 219.77.25.108
    apf(20425): (trust) added deny all to/from 211.161.7.123
    apf(21557): (trust) added deny all to/from 117.9.26.222
    apf(21694): (trust) added deny all to/from 61.231.23.111
    apf(21870): (trust) added deny all to/from 222.76.30.193
    apf(21999): (trust) added deny all to/from 221.225.141.79
    apf(22120): (trust) added deny all to/from 219.157.150.90
    apf(22243): (trust) added deny all to/from 218.87.62.86
    apf(22407): (trust) added deny all to/from 203.204.186.120
    apf(23558): (trust) added deny all to/from 118.232.200.103
    apf(23664): (trust) added deny all to/from 117.13.177.123
    iptables: Resource temporarily unavailable
    apf(23806): (trust) added deny all to/from 221.216.104.190
    apf(23952): (trust) added deny all to/from 124.114.109.233
    apf(24040): (trust) added deny all to/from 123.195.29.61
    apf(24135): (trust) added deny all to/from 61.171.196.138
    apf(24239): (trust) added deny all to/from 221.212.66.102
    iptables: Resource temporarily unavailable
    apf(24310): (trust) added deny all to/from 219.159.146.33
    apf(24441): (trust) added deny all to/from 124.64.242.39
    apf(24556): (trust) added deny all to/from 123.8.27.211
    apf(25669): (trust) added deny all to/from 121.235.252.166
    apf(25844): (trust) added deny all to/from 218.81.55.195


    Ok great banned some ip's (note iptables unavailabe but I have apf ban active).

    I can do this for 100+ times and there are still IP's with more than 10 connections. Maybe I should change ddos-config to iptables ban but heck I can't add 500+ ip to iptables because the servload will dramatically increase.


    PS FAUX (around 50 nobody processes eating up 0,1 RAM)

    nobody 5575 0.0 0.1 37356 10376 ? S 06:54 0:00 \_ /usr/local/ap





    Please note that I'm a linux server newbie but the modules are all correctly setup except maybe limitipconnect.

    If anyone can help me that would be awesome. I can't think of any other way how to fix it and I have no clue why they are ddosing my server. The hosting staff said they are also brute forcing cpanel but "\_ /usr/local/ap" doesn't look like cpanel to me.
    Yesterday they might have tried that because I saw something like apache -dssl.


    Thanks,
    Oliver

  2. #2
    Join Date
    Nov 2006
    Location
    USA
    Posts
    754
    I'm fairly certain you can use iptables to automatically ban ip addresses who connect multiple times. IIRC CSF cpanel module allowed this to be quickly configured.

  3. #3
    Join Date
    Jan 2008
    Posts
    77
    Quote Originally Posted by PersonalJihad View Post
    I'm fairly certain you can use iptables to automatically ban ip addresses who connect multiple times. IIRC CSF cpanel module allowed this to be quickly configured.
    Yes I'm using whm+cpanel, will try to figure out where to configure CSF.

    Hmm it's just another firewall..
    I already have apf/bfd



    Thanks,
    Oliver

  4. #4
    Join Date
    Jan 2008
    Location
    Spain|Catalonia|Barcelona
    Posts
    18
    Conctact your the data center for solving problem for advance and precision.
    "Security Through Obscurity" Linux most advanced operating system.

  5. #5
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,579
    I'd swap APF/BFD for CSF, it's a lot easier to manage with this stuff and it does a better job at blocking. If you upgrade to it, turn on the Dshield blocking, that may help too.

  6. #6
    maybe you need a firewall hardware to protect your server, software can not prevent real ddos

  7. #7
    Join Date
    Jul 2005
    Posts
    364
    Did you do something that would result in others DDoSing you?

  8. #8
    Join Date
    Oct 2007
    Location
    Vancouver/Hong Kong
    Posts
    1,243
    Quote Originally Posted by Mini View Post
    Did you do something that would result in others DDoSing you?
    Good question indeed...And what is the nature of your website...
    HostGamma.com | HostGamma Europe | HostGamma Asia
    USA, Canada, Brazil, UK, Netherlands, HK, Taiwan, Korea, Japan, Singapore and more
    Operated by Cycom Hong Kong Limited

  9. #9
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    203
    Quote Originally Posted by sOliver View Post
    Maybe I should change ddos-config to iptables ban but heck I can't add 500+ ip to iptables because the servload will dramatically increase.
    What kind of hardware do you use? You shouldn't have much trouble to block 500 IPs in your iptables.

    Alternatively, I'd suggest you to ask your provider's help if they provide ddos filtering or even managed services to harden your server.
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

  10. #10
    Join Date
    Apr 2007
    Location
    Panama
    Posts
    202
    What you need is DDoS mitigation Service from a provider. This is not a cheap service. DDoS mitigation is a technic that covers attack filtering and lots of bandwidth to mitigate flood attacks and let pass true clean traffic.
    CCIHosting.com - Anonymous Offshore Hosting Solutions with DDoS Protection
    99.9% Uptime and 24x7 Tech Support via Live Chat, Telephone and Tickets
    Skype ccipanama

  11. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •