Results 1 to 25 of 25
  1. #1

    How to detect a DDoS attack?

    Hi, is there any proved method to determine what kind of attack you are under? Our server has been under attack for more than a day now but so far we have not been able to find out what kind of attack it is exactly. The server maintence company we are using says it's a DDoS attack but they don't say how they found this out. Also, they are not telling us what kind of DDoS attack it is.

    Many thanks,
    Torsten

  2. #2
    Join Date
    Mar 2009
    Posts
    75
    Using netstat command we can get a clear picture of how many connections are been established from different IPs. If there is a large number of connections been established to the server from any particular external IP, you can block the IP. Also DDOS can occur where the connections will be from different IPs, if that is the case the best solution is to enable hardware firewall if your host provides it.

  3. #3
    You can use the below netstat command to get number connection from the IPs:

    netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    if it is a minor attack, you can prevent this by using mod_evasive or ddos Deflate. In the case of major attacks, your software firewall might not help much. In that case, keep your server under a h/w firewall.

    Hope this helps.

    Ben

  4. #4
    Hi Ben,

    You can see our log files here: http://pdf.grovs.de/ddos_attack.html

    How massive is this attack?
    Torsten

  5. #5
    Torsten,

    It depends on the number of connections from teh IP's. And this might be due to usage of vulnerable php script by a user in your server.

    Ben

  6. #6
    Hi Ben, did you look at our stats?

  7. #7
    Join Date
    Jun 2008
    Location
    India
    Posts
    266
    /bin/netstat -ntu | awk '{print $5}'| cut -d: -f1 | sort | uniq -c | sort -n | \
    grep -v 127.0.0.1 | awk '{if ($1 > 45) print $2;}' > /tmp/IPS

    tail -1000 /var/log/exim_mainlog |grep '\[' |cut -d[ -f2 |cut -d] -f1|sort -n |uniq -c |sort -n| \
    grep -v 127.0.0.1 | awk '{if ($1 > 45) print $2;}' >> /tmp/IPS
    Ranjith
    Light travels faster thn sound.This is why some people look bright until you actually hear them speak

  8. #8
    Join Date
    Jul 2005
    Posts
    70
    hi

    check top, check apache processes so far

    but if the DDoS is reflected ther eis no way other than waiting

  9. #9
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    Blocking based on IP can work to some degree but not if there are many attacking machines, changing frequently, and humans have to do it. On a BSD box we'd configure `pf` to add to a block table any IP which did X connections per minute. The numbers are high enough you could do that without blocking legit users.

    Using the "recent" module for iptables this becomes fairly easy, but it is a third party module and needs to be built. More info:

    http://snowman.net/projects/ipt_recent/

    Maybe you could do some country blocking for a period of time - the IP's in your post above come from a fairly limited number of countries... e.g.:

    77.254.205.97 : GeoIP Country Edition: PL, Poland
    85.148.100.65 : GeoIP Country Edition: NL, Netherlands
    88.230.157.59 : GeoIP Country Edition: TR, Turkey
    87.97.106.237 : GeoIP Country Edition: HU, Hungary
    89.222.225.14 : GeoIP Country Edition: RU, Russian Federation
    77.241.46.23 : GeoIP Country Edition: RU, Russian Federation
    79.185.41.104 : GeoIP Country Edition: PL, Poland
    83.26.104.65 : GeoIP Country Edition: PL, Poland

    Something of a pattern there.

    Edit: If nothing else using solutions like `pf` or the "recent" module for `iptables` could provide you with some early warning with a little scripting monitoring the "tables" which are populated.
    Last edited by mwatkins; 05-19-2009 at 08:31 PM.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  10. #10
    Join Date
    Mar 2009
    Posts
    62
    Or when your server crashes ubruptly, That could mean you are getting a DDoS

  11. #11
    Join Date
    Jun 2008
    Location
    India
    Posts
    266
    which firewall u use?
    Ranjith
    Light travels faster thn sound.This is why some people look bright until you actually hear them speak

  12. #12
    Join Date
    May 2009
    Posts
    31
    First of all check your CPU load is high and you have a large number of HTTP process running, check the load using command,
    # w
    Count the number of HTTP processes running by following command,
    # ps -aux|grep -i HTTP|wc -l

  13. #13
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892
    If you have large number of connections from multiple IPs and if your server is finding it hard to manage all these connection and if your servers load has increased then it can be called as a DDOS attack.

    There is not complete solution for DDOS attack. Software solutions (APF,CSF etc) can only provide you with 50 to 60% protection while Hardware firewall can give some better results.

    Just search for DDOS in Google and you will get lot of information about it. Go through it.
    Blessen Cherian
    Follow me on twitter.com/blessenonly
    Two decade in Web Hosting Industry

  14. #14
    Join Date
    Oct 2007
    Location
    Moldova
    Posts
    103
    How to detect DDos attack:

    1. Trafshow
    2. netstat
    3. systat -ifstat 1 (Freebsd)
    4. Apache/FTP/other logs

  15. #15
    Join Date
    Mar 2008
    Posts
    263
    Install/Configure 3rd party DDOS prevention tools

    We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.
    Steps to install this script are as follows.

    # wget http://www.inetbase.com/scripts/ddos/install.sh
    # sh install.sh

    Add the script '/usr/local/ddos/ddos.sh' to cron as follows

    # crontab -e

    */5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1
    Need More Power?!
    PersianWhois.Com

  16. #16
    A script won't stop this attack. We need another solution -- maybe LiteSpeed or something similar in combination with hardware such as Tipping Point or Sisco Guard.

    Any other ideas?

  17. #17
    Join Date
    Mar 2008
    Posts
    263
    Are you sure its attack?
    Maybe your web server or other service, such as mysql need to be optimize!
    Need More Power?!
    PersianWhois.Com

  18. #18
    Yes, it's an attack:

    7337.4 packets/sec
    Attack type: SYN

    http://pdf.grovs.de/ddos_attack.html

  19. #19
    Join Date
    Oct 2007
    Location
    Moldova
    Posts
    103
    maybe you can ask your DC to block this IP's on their router before this traffic is sent to your server.

    77.254.205.97 - 3950 times
    85.148.100.65 - 2190 times
    88.230.157.59 - 1924 times
    87.97.106.237 - 1876 times
    89.222.225.141 - 1537 times
    77.241.46.23 - 1163 times
    79.185.41.104 - 174 times
    83.26.104.65 - 103 times

  20. #20
    Join Date
    Nov 2005
    Location
    Denver, CO
    Posts
    728
    Quote Originally Posted by persianwhois View Post
    Install/Configure 3rd party DDOS prevention tools

    We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.
    Steps to install this script are as follows.

    # wget http://www.inetbase.com/scripts/ddos/install.sh
    # sh install.sh

    Add the script '/usr/local/ddos/ddos.sh' to cron as follows

    # crontab -e

    */5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1
    That does absolutely nothing to protect against a DDoS, it only masks the problem by shifting the burden from Apache to the OS. Your server is still getting hammered by the bandwidth flood.

    Ask your provider if they leverage strict uRPF. If so, they may be willing to do S/RTBH to help you out but the other risk is that they may end up doing the opposite which is D/RTBH and that effectively is a null of your IP. Depending on the size (Mbps/Gbps) a dedicated appliance may work since by your numbers, it looks like the ceiling of the attack is under 10k CPS. A TopLayer or IntruGuard would be one potential mitigation vector as could SYN cookies with a larger ISG (Juniper) or ASA 5540+ (Cisco). However neither the Juniper or Cisco box would scale much more beyond a 15k CPS flood (5580 or a Juniper SRX could handle up to 150k CPS but we're not talking a cheap solution and it's still not the ideal platform for this type of mitigation...that and SYN cookies could have the added detrimental effect of indiscriminate false positives).

  21. #21
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    Quote Originally Posted by TorstenD View Post
    Yes, it's an attack:
    7337.4 packets/sec
    Attack type: SYN
    Boiling down the advice are you now left with something of a bell curve:

    - block using OS level firewall to the best of your ability (and as Mike has said, that just shifts the burden), if that fails your next step
    * lean on your provider's ability to mitigate, or if they can't or won't,
    * move to another provider with stronger capabilities in this area, or,
    * acquire some technology yourself to do same, or if you can't afford that,
    * build up a dedicated firewall box, OpenBSD or FreeBSD perhaps with pf, or, if that is out of budget or capabilities or time, or not worth it due to the scale of the attack:
    * continue to live with it as best you can or shut machine down for a while.
    * edit: or stop hosting sites likely to be targeted, clearly a problem if this is your one and only web property

    ?

    Note I'm not suggesting that a BSD box can take the place of specialized equipment such as CiscoMike has outlined, although I have to say one of my former senior systems engineers (prior life) who was a Cisco devotee through and through was not at all unfavourable to BSD firewalls. You'll find some embedded BSD in certain firewall products, Juniper notably. I recall reading here on WHT that Pair.com, a big big FreeBSD shop, has some BSD boxes doing BGP. Not the same thing as attack mitigation to be sure.

    Ultimately your choice is going to be dictated by what you can accord, both in cost for mitigation and incoming bandwidth and staff costs to manage the event, or in lost opportunity if you eventually are forced to shut down.
    Last edited by mwatkins; 05-20-2009 at 01:51 PM.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  22. #22
    Hi, we've moved to Softlayer and hopefully our site will be up and running within the next couple of hours again.

  23. #23
    Join Date
    Jan 2005
    Posts
    2,203
    Which version of TOP did you use for this: http://pdf.grovs.de/Load_average.gif

    The attacker probably put a fake referer in the request body. Litespeed should be able to mitigate that attack easily.

  24. #24
    Join Date
    Mar 2009
    Posts
    39
    I see you've tried installing squid on the same machine as the web server to attempt to mitigate this attack, but that's the wrong approach to using squid for flood mitigation. Squid is most meaningfully used when it's on a dedicated machine in a reverse proxy type environment, though I'm not sure you'd need to do that in your situation. 7,337 packets per second is a relatively small attack and generally an attack of that size can be mitigated on your own machine without issue with proper tuning of your IP stack and simple firewall rules. Consult with a system administrator.

  25. #25
    CSF from Configservers is a useful firewall scripts based on iptables to block the ddos attacks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •