hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : I'm getting DDoS'd, need serious help
Reply

Forum Jump

I'm getting DDoS'd, need serious help

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Jan 2008
Posts: 77

I'm getting DDoS'd, need serious help


Hello, I'm new here

I'm looking for a piece of advice what I can do because finally after 20+ hours I give up.

My resources are constantly at 20%CPU and 70-99% Resources(RAM)

I'm using this command to see which IP has many connections

netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5


Ok here a "few" :
16 117.9.163.164
16 222.89.61.14
17 118.26.182.153
30 220.136.69.91
37 222.89.217.240

ALL CHINESE IP's

So you might think simply ban them.. I did ! But I can ban IP's for 30+ min straight and it won't end.


Ok here are the steps I've done:
Installed
AFP (Great Firewall using iptables) + AntiDos active
DDoS Deflate (To ban people with more than 10 connections)
Mod_evasive (stopping too many page requests)
Mod_GEOIP (to ban chinese IP's)
Mod_security (using GotRoot Rules)
Mod_limitipconnect (Limiting IP's to one connection/user)



Ok one example I want to ban IP's with more than 10 connections (all chinese) with DDOS Deflate:

I'll use /path/to/ddos/ddos.sh -k 10

Here's the log
apf(17701): (trust) added deny all to/from 59.61.27.57
apf(17841): (trust) added deny all to/from 219.137.113.202
apf(18140): (trust) added deny all to/from 61.57.106.117
apf(18266): (trust) added deny all to/from 218.79.153.124
apf(18396): (trust) added deny all to/from 58.247.247.78
iptables: Resource temporarily unavailable
apf(19520): (trust) added deny all to/from 125.34.16.100
iptables: Resource temporarily unavailable
apf(19693): (trust) added deny all to/from 61.64.19.42
apf(19795): (trust) added deny all to/from 60.9.18.51
apf(19908): (trust) added deny all to/from 58.40.104.243
iptables: Resource temporarily unavailable
apf(20078): (trust) added deny all to/from 221.235.63.155
apf(20193): (trust) added deny all to/from 221.197.202.233
apf(20303): (trust) added deny all to/from 219.77.25.108
apf(20425): (trust) added deny all to/from 211.161.7.123
apf(21557): (trust) added deny all to/from 117.9.26.222
apf(21694): (trust) added deny all to/from 61.231.23.111
apf(21870): (trust) added deny all to/from 222.76.30.193
apf(21999): (trust) added deny all to/from 221.225.141.79
apf(22120): (trust) added deny all to/from 219.157.150.90
apf(22243): (trust) added deny all to/from 218.87.62.86
apf(22407): (trust) added deny all to/from 203.204.186.120
apf(23558): (trust) added deny all to/from 118.232.200.103
apf(23664): (trust) added deny all to/from 117.13.177.123
iptables: Resource temporarily unavailable
apf(23806): (trust) added deny all to/from 221.216.104.190
apf(23952): (trust) added deny all to/from 124.114.109.233
apf(24040): (trust) added deny all to/from 123.195.29.61
apf(24135): (trust) added deny all to/from 61.171.196.138
apf(24239): (trust) added deny all to/from 221.212.66.102
iptables: Resource temporarily unavailable
apf(24310): (trust) added deny all to/from 219.159.146.33
apf(24441): (trust) added deny all to/from 124.64.242.39
apf(24556): (trust) added deny all to/from 123.8.27.211
apf(25669): (trust) added deny all to/from 121.235.252.166
apf(25844): (trust) added deny all to/from 218.81.55.195


Ok great banned some ip's (note iptables unavailabe but I have apf ban active).

I can do this for 100+ times and there are still IP's with more than 10 connections. Maybe I should change ddos-config to iptables ban but heck I can't add 500+ ip to iptables because the servload will dramatically increase.


PS FAUX (around 50 nobody processes eating up 0,1 RAM)

nobody 5575 0.0 0.1 37356 10376 ? S 06:54 0:00 \_ /usr/local/ap





Please note that I'm a linux server newbie but the modules are all correctly setup except maybe limitipconnect.

If anyone can help me that would be awesome. I can't think of any other way how to fix it and I have no clue why they are ddosing my server. The hosting staff said they are also brute forcing cpanel but "\_ /usr/local/ap" doesn't look like cpanel to me.
Yesterday they might have tried that because I saw something like apache -dssl.


Thanks,
Oliver



Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Nov 2006
Location: USA
Posts: 742
I'm fairly certain you can use iptables to automatically ban ip addresses who connect multiple times. IIRC CSF cpanel module allowed this to be quickly configured.

  #3  
Old
Junior Guru Wannabe
 
Join Date: Jan 2008
Posts: 77
Quote:
Originally Posted by PersonalJihad View Post
I'm fairly certain you can use iptables to automatically ban ip addresses who connect multiple times. IIRC CSF cpanel module allowed this to be quickly configured.
Yes I'm using whm+cpanel, will try to figure out where to configure CSF.

Hmm it's just another firewall..
I already have apf/bfd



Thanks,
Oliver

Sponsored Links
  #4  
Old
Newbie
 
Join Date: Jan 2008
Location: Spain|Catalonia|Barcelona
Posts: 18
Conctact your the data center for solving problem for advance and precision.

__________________
"Security Through Obscurity" Linux most advanced operating system.

  #5  
Old
Web Hosting Master
 
Join Date: Nov 2004
Location: Australia
Posts: 1,529
I'd swap APF/BFD for CSF, it's a lot easier to manage with this stuff and it does a better job at blocking. If you upgrade to it, turn on the Dshield blocking, that may help too.

  #6  
Old
Newbie
 
Join Date: Jan 2008
Posts: 15
maybe you need a firewall hardware to protect your server, software can not prevent real ddos

  #7  
Old
Aspiring Evangelist
 
Join Date: Jul 2005
Posts: 364
Did you do something that would result in others DDoSing you?

  #8  
Old
Web Hosting Master
 
Join Date: Oct 2007
Location: Vancouver/Hong Kong
Posts: 1,226
Quote:
Originally Posted by Mini View Post
Did you do something that would result in others DDoSing you?
Good question indeed...And what is the nature of your website...

__________________
HostGamma.com | HostGamma Europe | HostGamma Asia
Global Multi Location Hosting with 18+ Locations Worldwide
We accept: Paypal, Bank Transfer, Alipay, Skrill, 2CO, Webmoney, WU, MG

  #9  
Old
Junior Guru
 
Join Date: Jul 2004
Location: Athens, Greece
Posts: 203
Quote:
Originally Posted by sOliver View Post
Maybe I should change ddos-config to iptables ban but heck I can't add 500+ ip to iptables because the servload will dramatically increase.
What kind of hardware do you use? You shouldn't have much trouble to block 500 IPs in your iptables.

Alternatively, I'd suggest you to ask your provider's help if they provide ddos filtering or even managed services to harden your server.

__________________
SharkTECH Internet Services
http://www.sharktech.net
DDOS Firewalled Dedicated Servers
Managed Services / IRC Allowed


  #10  
Old
Junior Guru
 
Join Date: Apr 2007
Location: Panama
Posts: 200
What you need is DDoS mitigation Service from a provider. This is not a cheap service. DDoS mitigation is a technic that covers attack filtering and lots of bandwidth to mitigate flood attacks and let pass true clean traffic.

__________________
CCIHosting.com - Anonymous Offshore Hosting Solutions with DDoS Protection
99.9% Uptime and 24x7 Tech Support via Live Chat, Telephone and Tickets
Skype jgrodriguez02

Reply

Related posts from TheWhir.com
Title Type Date Posted
F5 Networks Acquires Cloud-Based DDoS Security Startup Defense.Net Web Hosting News 2014-05-26 16:47:34
DDoS Protection for Hosting Providers - Expand Your Cloud Offering and Protect Your Services Webinars 2014-06-13 10:11:16
The Cloud Is Under Siege; How Can I Protect It From DDoS Attacks? Webinars 2014-06-10 10:55:46
Arbor Networks Reports Alarming Increases in DDoS Attack Size in 2013 Web Hosting News 2013-10-17 13:40:25
Prolexic Warns of Growing Identity Theft Camouflaged by DDoS Attacks Web Hosting News 2013-08-28 12:20:19


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?