Sponsored Links

papaja · #1 03-23-2009, 01:17 PM

Hello,
I'm small hosting provider. On one dedicated server I have around 100 cPanel accounts.

That server is under constant, although not powerful DoS attack.

Since my company domain is not targeted on another server I believe that it is not me but one of my customers that attack is against.

Is there a way, tool, service provider than can help me pin down which account is being hit?

All accounts are on server main shared IP.

Would spreading them on another IPs help? Or would I still see attacks only on main shared IP?

Thanks.

datarealm · #2 03-23-2009, 08:02 PM

To start with you could check the web logs for the sites on the server to see if a particular site has a disproportionately large log file. If that's the case, check the logs to see what's going on.

If they are not targeting a particular web site, use tcpdump to check some of the traffic coming to the box. If there is a large amount of traffic from a particular source you could drop the data with iptables, or ask your upstream to block it for you.

LoganNZ · #3 03-23-2009, 08:43 PM

I doubt its a constant ddos attack, i would say its a script or user account which is using resources.

papaja · #4 03-24-2009, 06:38 AM

I'm using netstat -anp | grep 'tcp\|udp' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | awk '{print$5}' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

to check number of connections from particular IPs. I see IPs from Brazil, Russia, Peru, Mozambique, Vietnam... spawning hundreds of connections. Those are countries that most likely are not interested nor can understand content on my client's sites... so I think it is attack.

Anyway, if you can help me confirm your statement, I'll try it since I'm new in this and can be wrong.

chaosuk · #5 03-24-2009, 12:49 PM

i have been working on this with him, you wont find anything in the logs because the connection is never fully completed and therefore there is no access logs. He has this attack under control for the time being and once we find the intended target it will be very easy to stop it.

vpsville · #6 03-24-2009, 08:05 PM

You can temporarily block the origin IP's, the attack will go away after a few days and you can remove the blocks then.

hostingheaven · #7 03-24-2009, 10:02 PM

Snort will help you here.

http://www.snort.org/

canubeat · #8 03-25-2009, 01:06 AM

You can block those attacks little bit ( not fully) using

Defeating Traffic Flooders
PHP DoS Shield

Try using tweety1.0

Sponsored Links

Advertise Here