Results 1 to 25 of 25
Thread: How to detect a DDoS attack?
-
05-19-2009, 09:21 AM #1Newbie
- Join Date
- Apr 2009
- Posts
- 17
How to detect a DDoS attack?
Hi, is there any proved method to determine what kind of attack you are under? Our server has been under attack for more than a day now but so far we have not been able to find out what kind of attack it is exactly. The server maintence company we are using says it's a DDoS attack but they don't say how they found this out. Also, they are not telling us what kind of DDoS attack it is.
Many thanks,
Torsten
-
05-19-2009, 09:42 AM #2Junior Guru Wannabe
- Join Date
- Mar 2009
- Posts
- 75
Using netstat command we can get a clear picture of how many connections are been established from different IPs. If there is a large number of connections been established to the server from any particular external IP, you can block the IP. Also DDOS can occur where the connections will be from different IPs, if that is the case the best solution is to enable hardware firewall if your host provides it.
-
05-19-2009, 09:58 AM #3Newbie
- Join Date
- Sep 2008
- Posts
- 15
You can use the below netstat command to get number connection from the IPs:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
if it is a minor attack, you can prevent this by using mod_evasive or ddos Deflate. In the case of major attacks, your software firewall might not help much. In that case, keep your server under a h/w firewall.
Hope this helps.
Ben
-
05-19-2009, 10:07 AM #4Newbie
- Join Date
- Apr 2009
- Posts
- 17
Hi Ben,
You can see our log files here: http://pdf.grovs.de/ddos_attack.html
How massive is this attack?
Torsten
-
05-19-2009, 10:17 AM #5Newbie
- Join Date
- Sep 2008
- Posts
- 15
Torsten,
It depends on the number of connections from teh IP's. And this might be due to usage of vulnerable php script by a user in your server.
Ben
-
05-19-2009, 10:25 AM #6Newbie
- Join Date
- Apr 2009
- Posts
- 17
Hi Ben, did you look at our stats?
-
05-19-2009, 01:06 PM #7Web Hosting Guru
- Join Date
- Jun 2008
- Location
- India
- Posts
- 266
/bin/netstat -ntu | awk '{print $5}'| cut -d: -f1 | sort | uniq -c | sort -n | \
grep -v 127.0.0.1 | awk '{if ($1 > 45) print $2;}' > /tmp/IPS
tail -1000 /var/log/exim_mainlog |grep '\[' |cut -d[ -f2 |cut -d] -f1|sort -n |uniq -c |sort -n| \
grep -v 127.0.0.1 | awk '{if ($1 > 45) print $2;}' >> /tmp/IPSRanjith
Light travels faster thn sound.This is why some people look bright until you actually hear them speak
-
05-19-2009, 06:53 PM #8Junior Guru Wannabe
- Join Date
- Jul 2005
- Posts
- 70
hi
check top, check apache processes so far
but if the DDoS is reflected ther eis no way other than waiting
-
05-19-2009, 08:19 PM #9Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
Blocking based on IP can work to some degree but not if there are many attacking machines, changing frequently, and humans have to do it. On a BSD box we'd configure `pf` to add to a block table any IP which did X connections per minute. The numbers are high enough you could do that without blocking legit users.
Using the "recent" module for iptables this becomes fairly easy, but it is a third party module and needs to be built. More info:
http://snowman.net/projects/ipt_recent/
Maybe you could do some country blocking for a period of time - the IP's in your post above come from a fairly limited number of countries... e.g.:
77.254.205.97 : GeoIP Country Edition: PL, Poland
85.148.100.65 : GeoIP Country Edition: NL, Netherlands
88.230.157.59 : GeoIP Country Edition: TR, Turkey
87.97.106.237 : GeoIP Country Edition: HU, Hungary
89.222.225.14 : GeoIP Country Edition: RU, Russian Federation
77.241.46.23 : GeoIP Country Edition: RU, Russian Federation
79.185.41.104 : GeoIP Country Edition: PL, Poland
83.26.104.65 : GeoIP Country Edition: PL, Poland
Something of a pattern there.
Edit: If nothing else using solutions like `pf` or the "recent" module for `iptables` could provide you with some early warning with a little scripting monitoring the "tables" which are populated.Last edited by mwatkins; 05-19-2009 at 08:31 PM.
“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
05-19-2009, 09:09 PM #10Junior Guru Wannabe
- Join Date
- Mar 2009
- Posts
- 62
Or when your server crashes ubruptly, That could mean you are getting a DDoS
-
05-19-2009, 10:27 PM #11Web Hosting Guru
- Join Date
- Jun 2008
- Location
- India
- Posts
- 266
which firewall u use?
Ranjith
Light travels faster thn sound.This is why some people look bright until you actually hear them speak
-
05-20-2009, 01:31 AM #12Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 31
First of all check your CPU load is high and you have a large number of HTTP process running, check the load using command,
# w
Count the number of HTTP processes running by following command,
# ps -aux|grep -i HTTP|wc -l
-
05-20-2009, 01:59 AM #13Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
If you have large number of connections from multiple IPs and if your server is finding it hard to manage all these connection and if your servers load has increased then it can be called as a DDOS attack.
There is not complete solution for DDOS attack. Software solutions (APF,CSF etc) can only provide you with 50 to 60% protection while Hardware firewall can give some better results.
Just search for DDOS in Google and you will get lot of information about it. Go through it.Blessen Cherian
Follow me on twitter.com/blessenonly
Two decade in Web Hosting Industry
-
05-20-2009, 03:24 AM #14WHT Addict
- Join Date
- Oct 2007
- Location
- Moldova
- Posts
- 103
How to detect DDos attack:
1. Trafshow
2. netstat
3. systat -ifstat 1 (Freebsd)
4. Apache/FTP/other logs
-
05-20-2009, 09:27 AM #15Web Hosting Guru
- Join Date
- Mar 2008
- Posts
- 263
Install/Configure 3rd party DDOS prevention tools
We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.
Steps to install this script are as follows.
# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh
Add the script '/usr/local/ddos/ddos.sh' to cron as follows
# crontab -e
*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1Need More Power?!
PersianWhois.Com
-
05-20-2009, 09:29 AM #16Newbie
- Join Date
- Apr 2009
- Posts
- 17
A script won't stop this attack. We need another solution -- maybe LiteSpeed or something similar in combination with hardware such as Tipping Point or Sisco Guard.
Any other ideas?
-
05-20-2009, 09:52 AM #17Web Hosting Guru
- Join Date
- Mar 2008
- Posts
- 263
Are you sure its attack?
Maybe your web server or other service, such as mysql need to be optimize!Need More Power?!
PersianWhois.Com
-
05-20-2009, 09:54 AM #18Newbie
- Join Date
- Apr 2009
- Posts
- 17
Yes, it's an attack:
7337.4 packets/sec
Attack type: SYN
http://pdf.grovs.de/ddos_attack.html
-
05-20-2009, 10:09 AM #19WHT Addict
- Join Date
- Oct 2007
- Location
- Moldova
- Posts
- 103
maybe you can ask your DC to block this IP's on their router before this traffic is sent to your server.
77.254.205.97 - 3950 times
85.148.100.65 - 2190 times
88.230.157.59 - 1924 times
87.97.106.237 - 1876 times
89.222.225.141 - 1537 times
77.241.46.23 - 1163 times
79.185.41.104 - 174 times
83.26.104.65 - 103 times
-
05-20-2009, 12:01 PM #20Sec, DC and Virtual Architect
- Join Date
- Nov 2005
- Location
- Denver, CO
- Posts
- 728
That does absolutely nothing to protect against a DDoS, it only masks the problem by shifting the burden from Apache to the OS. Your server is still getting hammered by the bandwidth flood.
Ask your provider if they leverage strict uRPF. If so, they may be willing to do S/RTBH to help you out but the other risk is that they may end up doing the opposite which is D/RTBH and that effectively is a null of your IP. Depending on the size (Mbps/Gbps) a dedicated appliance may work since by your numbers, it looks like the ceiling of the attack is under 10k CPS. A TopLayer or IntruGuard would be one potential mitigation vector as could SYN cookies with a larger ISG (Juniper) or ASA 5540+ (Cisco). However neither the Juniper or Cisco box would scale much more beyond a 15k CPS flood (5580 or a Juniper SRX could handle up to 150k CPS but we're not talking a cheap solution and it's still not the ideal platform for this type of mitigation...that and SYN cookies could have the added detrimental effect of indiscriminate false positives).
-
05-20-2009, 01:46 PM #21Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
Boiling down the advice are you now left with something of a bell curve:
- block using OS level firewall to the best of your ability (and as Mike has said, that just shifts the burden), if that fails your next step
* lean on your provider's ability to mitigate, or if they can't or won't,
* move to another provider with stronger capabilities in this area, or,
* acquire some technology yourself to do same, or if you can't afford that,
* build up a dedicated firewall box, OpenBSD or FreeBSD perhaps with pf, or, if that is out of budget or capabilities or time, or not worth it due to the scale of the attack:
* continue to live with it as best you can or shut machine down for a while.
* edit: or stop hosting sites likely to be targeted, clearly a problem if this is your one and only web property
?
Note I'm not suggesting that a BSD box can take the place of specialized equipment such as CiscoMike has outlined, although I have to say one of my former senior systems engineers (prior life) who was a Cisco devotee through and through was not at all unfavourable to BSD firewalls. You'll find some embedded BSD in certain firewall products, Juniper notably. I recall reading here on WHT that Pair.com, a big big FreeBSD shop, has some BSD boxes doing BGP. Not the same thing as attack mitigation to be sure.
Ultimately your choice is going to be dictated by what you can accord, both in cost for mitigation and incoming bandwidth and staff costs to manage the event, or in lost opportunity if you eventually are forced to shut down.Last edited by mwatkins; 05-20-2009 at 01:51 PM.
“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
05-20-2009, 01:57 PM #22Newbie
- Join Date
- Apr 2009
- Posts
- 17
Hi, we've moved to Softlayer and hopefully our site will be up and running within the next couple of hours again.
-
05-20-2009, 03:27 PM #23Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
Which version of TOP did you use for this: http://pdf.grovs.de/Load_average.gif
The attacker probably put a fake referer in the request body. Litespeed should be able to mitigate that attack easily.
-
05-20-2009, 03:37 PM #24Junior Guru Wannabe
- Join Date
- Mar 2009
- Posts
- 39
I see you've tried installing squid on the same machine as the web server to attempt to mitigate this attack, but that's the wrong approach to using squid for flood mitigation. Squid is most meaningfully used when it's on a dedicated machine in a reverse proxy type environment, though I'm not sure you'd need to do that in your situation. 7,337 packets per second is a relatively small attack and generally an attack of that size can be mitigated on your own machine without issue with proper tuning of your IP stack and simple firewall rules. Consult with a system administrator.
-
06-09-2009, 02:10 AM #25Newbie
- Join Date
- Jun 2009
- Posts
- 13
CSF from Configservers is a useful firewall scripts based on iptables to block the ddos attacks