Results 1 to 10 of 10
-
07-07-2009, 10:00 PM #1Junior Guru Wannabe
- Join Date
- Nov 2005
- Posts
- 78
ddos / DoS attack, won't stop. Server is down.
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
Any suggestions how to proceed at this point? Obviously, when the attacker sees my site up and running - he/she uses different type of attack.
What would you recommend?
-
07-07-2009, 10:09 PM #2WHT Addict
- Join Date
- Jan 2006
- Location
- Dallas, TX
- Posts
- 106
Can your provider give you some assistance by identifying which IP is getting hit? It's quite possible that this is not anything directed at "you" or your server, but rather just an attack for atack's sake. If you are really getting hammered, maybe have your provider null-route the IP that is getting sacked - and maybe your provider will be kind enough to move you to another IP block.
Chris Gebhardt
VIRTBIZ Internet Services
Web Hosting, Dallas Colocation, Dedicated Server
virtbiz.com | ph (972)485-4125 | toll-free (866)485-4125
-
07-07-2009, 10:21 PM #3Junior Guru Wannabe
- Join Date
- Nov 2005
- Posts
- 78
virtbiz: I have hosted with them for over a year. I always had the same IP address. I believe the attack is done against one of the sites, which has a web forum.
I just want to know if there is some other software against DoS attacks, if I should installed some other web server instead of apache, and why APF + Dos Deflate combined cannot stop flooding.
-
07-07-2009, 10:31 PM #4WHT Addict
- Join Date
- Jan 2006
- Location
- Dallas, TX
- Posts
- 106
A firewall may not be effective for you in a situation like this because it will still have to receive and examine the traffic to decide to let it through or not. So it can chew up all available resources (CPU) working to sort through the flood of traffic. Even if the traffic is not huge (11Mbps isn't much to speak of) the packets can be formed in such a way as to choke your router/firewall.
Unless your site with a forum is really high profile (I mean... HIGH profile) I really doubt you're a specific target.
Since you're apparently hard down anyhow, probably no harm in asking for a new IP and to null-route the old one at their border. It's no big deal for them to do if they know what they're doing.
And I wouldn't blame Apache. If you're getting DDoS'd, the webserver software likely has very little to do with it. (Have you examined the traffic to determine what KIND of traffic you're getting slammed with?)Chris Gebhardt
VIRTBIZ Internet Services
Web Hosting, Dallas Colocation, Dedicated Server
virtbiz.com | ph (972)485-4125 | toll-free (866)485-4125
-
07-08-2009, 10:30 PM #5Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
Can you paste your /etc/apf/conf.apf ?
-
07-08-2009, 10:43 PM #6Junior Guru Wannabe
- Join Date
- Jun 2009
- Location
- Houston,Tx
- Posts
- 46
A few things that might help:
Once the server is accessible via command line, run the following:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | sed -e s/'::ffff:'/''/g|cut -d: -f1 | sort | uniq -c | sort -n
See which ips are connecting alot(a dos attack is easy to recognize with the above, but a ddos attack is not as easy).
Look for patterns, such as ips that are similar.
If you find anything, you would normally block with iptables, that's good, but not enough.
If you run :
route add IP reject
then you block them at the kernel level. Meaning the processing of the ip is much less then it would be for iptables, which will help(it will have to be a very strong ddos attack to have a significant affect after blocking them with the routing table).
iptables is great to use, but not to block a ddos attack.
btw, I would really recommend that you stop using apf, and use csf. It has many more options, and is far more robust then apf, not to mention it's still supported, whereas apf is not.
If you need any help, please feel free to contact me.
-
07-08-2009, 10:50 PM #7Junior Guru Wannabe
- Join Date
- Jun 2009
- Location
- Houston,Tx
- Posts
- 46
One more thing I forgot to mention.
You will hear that external firewalls are the only way to block a ddos attack.
This is only partially true.
Strong ddos attacks really do need an external firewall, but only because your server cannot allocate the resources necessary to block the traffic. And also, because the connection to the firewall is much stronger then the connection to the server.
example:
1 Gig to the firewall, 100Mb/s to the server
=============>Firewall--------->server
With the firewall, your firewall will block the attack, using the extra bandwidth. And will maintain, or atleast try, the 100 Mb/s to your server.
-
07-26-2009, 08:20 PM #8Junior Guru Wannabe
- Join Date
- Nov 2005
- Posts
- 78
zacharooni, here is my conf.apf.
I have removed some comments to make it smaller in size.
#!/bin/bash
#
# APF 9.6 [apf@r-fx.org]
INSTALL_PATH="/etc/apf"
IFACE_IN="eth0"
IFACE_OUT="eth0"
IFACE_TRUSTED=""
SET_VERBOSE="1"
SET_FASTLOAD="0"
SET_VNET="0"
SET_ADDIFACE="0"
SET_MONOKERN="0"
SET_REFRESH="0"
SET_TRIM="3000"
VF_ROUTE="1"
VF_CROND="1"
VF_LGATE=""
##
# [Reactive Address Blocking]
RAB="1"
RAB_SANITY="1"
# 0 = disabled | 1 = low security | 2 = medium security | 3 = high security
RAB_PSCAN_LEVEL="2"
RAB_HITCOUNT="0"
RAB_TIMER="15000"
RAB_TRIP="1"
RAB_LOG_HIT="0"
RAB_LOG_TRIP="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
ALL_STOP="DROP"
PKT_SANITY="1"
PKT_SANITY_INV="0"
PKT_SANITY_FUDP="1"
PKT_SANITY_PZERO="1"
PKT_SANITY_STUFFED="0"
TOS_DEF="0"
TOS_DEF_RANGE="512:65535"
TOS_0=""
TOS_2=""
# 4: Ports for Minimize Delay - Maximize Reliability
TOS_4=""
TOS_8="21,20,80"
TOS_16="25,110,143"
TCR_PASS="0" TCR_PORTS="33434:33534"
ICMP_LIM="30/s"
RESV_DNS="1"
RESV_DNS_DROP="1"
BLK_P2P_PORTS="removed"
BLK_PORTS="removed"
BLK_MCATNET="0"
BLK_PRVNET="0"
BLK_RESNET="1"
BLK_IDENT="0"
SYSCTL_CONNTRACK="130000"
SYSCTL_TCP="1"
SYSCTL_SYN="1"
SYSCTL_ROUTE="0"
SYSCTL_LOGMARTIANS="0"
SYSCTL_ECN="0"
SYSCTL_SYNCOOKIES="1"
SYSCTL_OVERFLOW="0"
HELPER_SSH="1"
HELPER_SSH_PORT="removed"
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="removed"
IG_UDP_CPORTS="removed"
IG_ICMP_TYPES="removed"
EGF="1"
EG_TCP_CPORTS="removed"
EG_UDP_CPORTS="removed"
EG_ICMP_TYPES="all"
# UID-Match outbound (egress) TCP ports
EG_TCP_UID=""
# UID-Match outbound (egress) UDP ports
EG_UDP_UID=""
EG_DROP_CMD=""
##
# [Remote Rule Imports]
DLIST_PHP="0"
DLIST_PHP_URL="rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"
DLIST_SPAMHAUS="0"
DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"
DLIST_DSHIELD="0"
DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"
DLIST_RESERVED="0"
DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"
DLIST_ECNSHAME="0"
DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst"
DLIST_ECNSHAME_URL_PROT="http"
# Global Trust
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules"
GA_URL_PROT="http"
GD_URL="yourhost.com/glob_deny.rules"
GD_URL_PROT="http"
##
# [Logging and control settings]
LOG_DROP="0"
# What log level should we send all log data too?
# refer to man syslog.conf for levels
LOG_LEVEL="crit"
LOG_TARGET="LOG"
LOG_IA="0"
# Log all foreign gateway traffic
LOG_LGATE="0"
LOG_EXT="0"
LOG_RATE="10"
LOG_APF="/var/log/apf_log"
##
# [Import misc. conf]
##
# Internal variable file
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
-
07-26-2009, 08:24 PM #9Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
I would agree, upgrade to CSF.
-
07-26-2009, 08:57 PM #10Junior Guru Wannabe
- Join Date
- Nov 2005
- Posts
- 78
ok, will do! thank you)
Similar Threads
-
Need someone who can stop this DDos attack/botnet
By Shazz in forum Systems Management RequestsReplies: 5Last Post: 09-08-2008, 10:16 PM -
How I can Stop DDOS Attack?
By Cyru$ in forum Hosting Security and TechnologyReplies: 12Last Post: 08-27-2008, 04:23 PM -
Now I can stop DDos Attack after all
By Abdo-sa in forum Hosting Security and TechnologyReplies: 3Last Post: 05-09-2007, 06:52 PM -
Advice choosing Hardware and Provider can stop DDos Attack
By Mazola in forum Dedicated ServerReplies: 60Last Post: 04-30-2007, 03:38 AM -
DDOS attack! What else can I do to stop this haxor?
By one1coolone1 in forum Hosting Security and TechnologyReplies: 9Last Post: 10-01-2004, 03:18 PM