Results 1 to 15 of 15

Thread: Attack

  1. #1
    Join Date
    Jul 2005
    Location
    Spain
    Posts
    52

    Attack

    Hello,

    My server is currently underattack, I have been able to keep it up but after I ban 500 IPs, I get a lot of different IPs again.

    Any idea or suggestion to do mass-ban to those attacking IPs?

    tcp 0 0 xxx.xx.xxx.xxx:80 190.87.128.59:3965 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 82.115.52.10:2323 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 90.148.137.56:21094 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:57605 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 93.138.91.12:49366 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:4621 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 212.80.64.214:3509 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 93.177.128.207:3085 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 123.19.222.120:4572 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 85.71.204.232:3234 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.46.34.194:2501 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58815 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.137.56.221:2956 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 92.226.83.44:62997 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 41.104.8.250:1687 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.148.64.160:3663 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.132.92.192:3001 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 92.226.83.44:62975 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 213.205.65.22:11312 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.210.41.134:1717 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.170.127.226:31427 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59745 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.89.16.10:2557 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.159.65.9:1527 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:3221 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.38.34.208:44308 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.38.34.208:39563 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 213.205.65.22:11311 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.174.104.45:4485 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:49404 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50258 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 115.73.52.108:52738 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.24.209.98:11930 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 77.166.186.92:10740 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.166.146.125:60744 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 77.46.195.200:3061 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 91.43.129.220:4534 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:51128 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 125.27.140.133:2887 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.182.232.101:4178 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58359 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.174.104.45:4498 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:47080 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4413 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.99.218.73:47659 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.26.207.29:2000 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4678 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4677 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 90.148.172.76:20374 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58984 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.178.231.251:52607 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 88.240.150.194:1949 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.38.34.208:42146 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50373 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 86.43.184.152:52975 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:51742 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4667 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 124.120.242.105:21272 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 125.27.140.133:2158 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59474 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 87.122.219.67:61816 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 60.53.161.72:2931 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.208.84.47:15315 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.169.68.4:3427 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.72.37.82:60759 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.156.113.121:27832 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4587 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.38.34.208:55358 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.38.34.208:56054 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 218.250.128.222:1088 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.88.161.73:52871 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:4119 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 80.95.40.59:17977 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.8.191.146:3706 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.215.107.47:1395 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.155.224.140:2202 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58462 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.72.37.82:60989 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.217.126.244:25357 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:3724 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.204.174.187:2048 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.174.18.153:3811 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50765 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.155.50.182:13824 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.130.96.243:2243 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.36.19.133:2887 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.99.218.73:14377 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.169.207.26:2906 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.38.34.208:58191 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 77.29.134.85:2181 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:1067 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.102.219.177:6200 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4633 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.181.87.79:3940 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.24.237.71:28912 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4720 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58758 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4656 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.159.65.9:1750 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.135.164:2594 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.130.150.26:58911 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59376 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.123.146.159:37068 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.72.37.82:60423 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4694 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 212.170.254.98:27622 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.50.194.236:21897 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 218.102.152.76:3045 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.174.104.45:4459 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.130.233.109:3681 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:1509 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:4644 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58768 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 119.154.38.167:1719 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59856 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.107.75.113:4123 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.253.244.43:1581 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.51.27.53:41977 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 90.148.158.68:65075 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.136.48.197:4588 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50753 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.136.163.28:1491 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 88.68.134.92:50410 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.132.58.193:1896 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.169.102.61:9420 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 80.219.51.26:3821 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59718 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:4430 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.8.191.146:3798 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.102.219.177:6733 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.79.91.2:60957 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.159.65.9:2417 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.54.70.71:2674 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:51736 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.159.65.9:2221 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.70.180.60:51469 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:1249 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.48.255.199:59159 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.111.79.62:60605 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.142.61.139:4790 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.146.34.46:4485 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50271 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 88.230.126.131:3019 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.130.150.26:58329 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:51121 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50409 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.138.128.202:3872 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.25.90.80:2554 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 92.226.83.44:62937 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.210.41.134:1720 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.161.38.18:54773 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.130.150.26:58276 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.177.142.213:4278 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 115.73.52.108:21786 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.102.219.177:6198 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.138.75.70:60548 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.164.241.220:3880 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.184.70.86:2590 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.8.183.154:2881 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.132.36.113:1773 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.140.161.101:47105 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.159.65.9:2404 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 95.42.76.188:4575 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 90.148.137.56:28715 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:58968 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.198.95.206:1736 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 87.122.219.67:61647 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.172.247.248:3561 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 115.73.52.108:50687 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.169.96.192:3423 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 89.61.184.66:4414 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 58.11.68.88:1898 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 64.32.82.86:60850 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 115.73.236.123:24580 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:4604 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.130.240.242:1235 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50382 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 85.71.204.232:3233 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.153.138.95:2552 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.210.134.44:14563 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.190.39.78:1858 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.232.117.148:3072 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.88.161.73:50960 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59395 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 80.138.81.66:63482 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.107.117.84:4276 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 190.204.174.187:1113 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 115.73.52.108:20510 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 187.131.206.227:1281 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 90.148.137.56:59819 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 78.37.151.221:4025 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 212.170.254.98:27574 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59166 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.31.29.242:4765 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59852 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.132.58.193:4491 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.208.84.47:15225 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 81.182.33.113:63411 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 188.48.75.8:57311 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 117.195.203.55:1508 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 83.26.177.55:1812 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:59849 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50530 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 91.122.41.104:1446 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 90.58.215.45:53102 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.224.44.10:3996 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:51703 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.172.247.248:2658 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.64.238.4:15730 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50542 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.0.8.4:1496 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50540 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.215.107.47:1405 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 92.249.245.119:3288 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 189.166.213.241:1808 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 200.138.75.70:60504 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 94.97.81.60:26383 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.123.146.159:35333 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 79.46.34.194:2504 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 201.158.169.19:50486 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 84.72.37.82:61321 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 117.195.203.55:1505 SYN_RECV
    tcp 0 0 xxx.xx.xxx.xxx:80 118.172.5.211:51455 SYN_RECV

    Thanks
    IberHosting - Webhosting Linux

  2. #2
    Unfortunately software scripts cannot stop these, Contact your DC and ask them to attach a Cisco firewall guard to filter these traffic off your server.
    www.24x7servermanagement.com
    Server Management, Server Security, Server Monitoring.
    India's Leading Managed Service Provider !! Skype: techs24x7

  3. #3
    Try this.

    1. Find.. to which IP address in the server is targeted by the ddos attack

    netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

    2. Find… from which IPs, the attack is coming

    netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

    3. Then find the TTL values of the attacking IP addresses

    tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)

    usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)

    4. Now block all the ips matching the TTL value obtained from the above script

    iptables -A INPUT -p tcp -s 0.0.0.0/0 -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)

  4. #4
    Join Date
    Jul 2009
    Location
    SLASH ROOT
    Posts
    26
    Blocking these many IP addresses is going to be a tough task.

    I would recommend you to install/configure Apache modules like:

    1) dos_evasive
    2) mod_security

    With these Apache modules you can configure Apache to block out any IP address having more than "X" connections to the server.

    ---------------------------
    Systems Engineer
    WHRSS
    We grow by helping you grow.

  5. #5
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853
    Seems like your server is under high SYN flood attack.

    I would suggest you to harden the sysctl parameters (kernel params) to mitigate the current attack.

    Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.

    Also depend on Apache DOS/DDOS mitigation tools as suggested by 'whrss2'

  6. #6
    Join Date
    Jul 2005
    Location
    Spain
    Posts
    52
    Thanks guy and sorry the delay, I have banned more than 10k IPs so I ended removing all the banned ips because it didnt make any difference. I'm currently using modsecurity, mod evasive but I never trusted mod evasive as I dont feel any difference using it. Theplanet enabled Cisco Guard on the IP's that were under attack, but still nothing better... Im running CSF too, replaced APF with this one.
    IberHosting - Webhosting Linux

  7. #7
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    164
    This is an old script but it serves its purpose.

    http://deflate.medialayer.com/

    Took me a bit to dig that up.
    eSited LLC - Dedicated Servers, VPS, Managed Hosting
    Nullivex LLC - Web Services, PHP Development, System administration.
    █ Visit http://www.esited.com/ or Email contact[at]nullivex.com

  8. #8
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by IH-Antonio View Post
    I'm currently using modsecurity, mod evasive but I never trusted mod evasive as I dont feel any difference using it.
    For sure you don't see any difference, because you cannot fight SYN floods at the HTTP server level! Unlike HTTP floods, it is useless to use those Apache modules.
    All these entries (SYN_RECV) are half-opened connections and are stored in the kernel syn backlog. They will remain there and will never be moved to your HTTP server listen backlog. That means there won't be any established connection, hence Apache (or LiteSpeed, Nginx...) and its modules don't care about that, in fact, and this is the most important thing to understand, they will never know you are under attack !
    That's the problem with SYN floods you are stuck in the middle of the 3-way handshake sequence and therefore you can only try to mitigate it at the kernel level :
    - kernel firewall
    - routing table
    - tweaking the TCP/IP stack
    - mitigation tools, packets analyzers (they will probe the kernel)

  9. #9
    Join Date
    Jan 2005
    Posts
    2,175
    Did you look at the log? It IS a SYN flood at the http level, it's all going to port 80. From what I recall, http syn floods are the most common. And mod_evasive does nothing to help based on my experiences. I would not recommend anyone using it.

    Are you running cpanel? Litespeed could easily handle it.

  10. #10
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853

  11. #11
    Join Date
    Dec 2006
    Posts
    477
    It IS a SYN flood at the http level, it's all going to port 80.
    That is a nonsense statement. Just because its going to the port number of the http server does not mean the kernel is going to pass the connection to the http server before the tcp handshake is connected.

    As khunj said, it makes bugger all difference whether you have Apache, Litespeed or anything else as they are never going to be notified that these connections exist. The only places to fight this are in the kernel or in an external firewall/router/mitigation device.

  12. #12
    Join Date
    Jan 2005
    Posts
    2,175
    And what makes you think it is NOT passing the connection to the http server?

  13. #13
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by HD Fanatic View Post
    And what makes you think it is NOT passing the connection to the http server?
    Because the connection is in the SYN_RECV state and that is the reason why we call it "SYN flood"

    http://en.wikipedia.org/wiki/Transmi...ocol_operation

    http://www.gelato.unsw.edu.au/lxr/so...cp_ipv4.c#L862

  14. #14
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    A FreeBSD or OpenBSD based "pf" firewall could deal with this, automatically.

    http://www.openbsd.org/faq/pf/filter.html#synproxy

    I'm not aware of a corresponding IPTables solution for Linux. Too bad, so sad.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  15. #15
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Quote Originally Posted by mwatkins View Post
    A FreeBSD or OpenBSD based "pf" firewall could deal with this, automatically.

    http://www.openbsd.org/faq/pf/filter.html#synproxy

    I'm not aware of a corresponding IPTables solution for Linux. Too bad, so sad.
    Agreed.

    And also mentioned, Apache/Litespeed modules won't fix this. It has to be blocked on the physical network or at the kernel level. Unfortunately, that is not Linux's strong point. If you get these a lot, your best bet is to install FreeBSD.

    So funny to see people say, "Oh Litespeed will fix this easily". *sigh* Doesn't matter what web server you're using, this attack would happen.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

Similar Threads

  1. under attack just help
    By maxi1 in forum Hosting Security and Technology
    Replies: 6
    Last Post: 04-02-2009, 10:49 AM
  2. My azz is under attack.
    By Technolojesus in forum Hosting Security and Technology
    Replies: 7
    Last Post: 01-28-2004, 08:49 AM
  3. Under Attack or Not Under Attack
    By domingo in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-22-2004, 12:49 PM
  4. Replies: 14
    Last Post: 11-22-2003, 05:40 AM
  5. Replies: 8
    Last Post: 11-13-2003, 10:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •