Results 1 to 10 of 10
  1. #1
    Join Date
    Nov 2005
    Posts
    78

    ddos / DoS attack, won't stop. Server is down.

    My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
    Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).

    Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.

    Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
    When I request, I can log in for couple of minutes, but then I get kicked out.

    Any suggestions how to proceed at this point? Obviously, when the attacker sees my site up and running - he/she uses different type of attack.
    What would you recommend?

  2. #2
    Join Date
    Jan 2006
    Location
    Dallas, TX
    Posts
    106
    Can your provider give you some assistance by identifying which IP is getting hit? It's quite possible that this is not anything directed at "you" or your server, but rather just an attack for atack's sake. If you are really getting hammered, maybe have your provider null-route the IP that is getting sacked - and maybe your provider will be kind enough to move you to another IP block.
    Chris Gebhardt
    VIRTBIZ Internet Services
    Web Hosting, Dallas Colocation, Dedicated Server
    virtbiz.com | ph (972)485-4125 | toll-free (866)485-4125

  3. #3
    Join Date
    Nov 2005
    Posts
    78
    virtbiz: I have hosted with them for over a year. I always had the same IP address. I believe the attack is done against one of the sites, which has a web forum.

    I just want to know if there is some other software against DoS attacks, if I should installed some other web server instead of apache, and why APF + Dos Deflate combined cannot stop flooding.

  4. #4
    Join Date
    Jan 2006
    Location
    Dallas, TX
    Posts
    106
    A firewall may not be effective for you in a situation like this because it will still have to receive and examine the traffic to decide to let it through or not. So it can chew up all available resources (CPU) working to sort through the flood of traffic. Even if the traffic is not huge (11Mbps isn't much to speak of) the packets can be formed in such a way as to choke your router/firewall.

    Unless your site with a forum is really high profile (I mean... HIGH profile) I really doubt you're a specific target.

    Since you're apparently hard down anyhow, probably no harm in asking for a new IP and to null-route the old one at their border. It's no big deal for them to do if they know what they're doing.

    And I wouldn't blame Apache. If you're getting DDoS'd, the webserver software likely has very little to do with it. (Have you examined the traffic to determine what KIND of traffic you're getting slammed with?)
    Chris Gebhardt
    VIRTBIZ Internet Services
    Web Hosting, Dallas Colocation, Dedicated Server
    virtbiz.com | ph (972)485-4125 | toll-free (866)485-4125

  5. #5
    Join Date
    Apr 2005
    Posts
    1,767
    Can you paste your /etc/apf/conf.apf ?

  6. #6
    Join Date
    Jun 2009
    Location
    Houston,Tx
    Posts
    46
    A few things that might help:

    Once the server is accessible via command line, run the following:

    netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | sed -e s/'::ffff:'/''/g|cut -d: -f1 | sort | uniq -c | sort -n

    See which ips are connecting alot(a dos attack is easy to recognize with the above, but a ddos attack is not as easy).

    Look for patterns, such as ips that are similar.

    If you find anything, you would normally block with iptables, that's good, but not enough.

    If you run :

    route add IP reject

    then you block them at the kernel level. Meaning the processing of the ip is much less then it would be for iptables, which will help(it will have to be a very strong ddos attack to have a significant affect after blocking them with the routing table).



    iptables is great to use, but not to block a ddos attack.

    btw, I would really recommend that you stop using apf, and use csf. It has many more options, and is far more robust then apf, not to mention it's still supported, whereas apf is not.

    If you need any help, please feel free to contact me.

  7. #7
    Join Date
    Jun 2009
    Location
    Houston,Tx
    Posts
    46
    One more thing I forgot to mention.

    You will hear that external firewalls are the only way to block a ddos attack.

    This is only partially true.

    Strong ddos attacks really do need an external firewall, but only because your server cannot allocate the resources necessary to block the traffic. And also, because the connection to the firewall is much stronger then the connection to the server.

    example:

    1 Gig to the firewall, 100Mb/s to the server
    =============>Firewall--------->server

    With the firewall, your firewall will block the attack, using the extra bandwidth. And will maintain, or atleast try, the 100 Mb/s to your server.

  8. #8
    Join Date
    Nov 2005
    Posts
    78
    zacharooni, here is my conf.apf.
    I have removed some comments to make it smaller in size.

    #!/bin/bash
    #
    # APF 9.6 [apf@r-fx.org]

    INSTALL_PATH="/etc/apf"
    IFACE_IN="eth0"
    IFACE_OUT="eth0"
    IFACE_TRUSTED=""
    SET_VERBOSE="1"
    SET_FASTLOAD="0"
    SET_VNET="0"
    SET_ADDIFACE="0"
    SET_MONOKERN="0"
    SET_REFRESH="0"
    SET_TRIM="3000"
    VF_ROUTE="1"
    VF_CROND="1"
    VF_LGATE=""

    ##
    # [Reactive Address Blocking]
    RAB="1"
    RAB_SANITY="1"
    # 0 = disabled | 1 = low security | 2 = medium security | 3 = high security
    RAB_PSCAN_LEVEL="2"
    RAB_HITCOUNT="0"
    RAB_TIMER="15000"

    RAB_TRIP="1"
    RAB_LOG_HIT="0"
    RAB_LOG_TRIP="0"

    TCP_STOP="DROP"
    UDP_STOP="DROP"
    ALL_STOP="DROP"
    PKT_SANITY="1"

    PKT_SANITY_INV="0"
    PKT_SANITY_FUDP="1"

    PKT_SANITY_PZERO="1"
    PKT_SANITY_STUFFED="0"
    TOS_DEF="0"
    TOS_DEF_RANGE="512:65535"
    TOS_0=""
    TOS_2=""

    # 4: Ports for Minimize Delay - Maximize Reliability
    TOS_4=""
    TOS_8="21,20,80"
    TOS_16="25,110,143"
    TCR_PASS="0" TCR_PORTS="33434:33534"

    ICMP_LIM="30/s"
    RESV_DNS="1"
    RESV_DNS_DROP="1"
    BLK_P2P_PORTS="removed"
    BLK_PORTS="removed"
    BLK_MCATNET="0"

    BLK_PRVNET="0"
    BLK_RESNET="1"

    BLK_IDENT="0"
    SYSCTL_CONNTRACK="130000"
    SYSCTL_TCP="1"
    SYSCTL_SYN="1"
    SYSCTL_ROUTE="0"
    SYSCTL_LOGMARTIANS="0"
    SYSCTL_ECN="0"
    SYSCTL_SYNCOOKIES="1"
    SYSCTL_OVERFLOW="0"
    HELPER_SSH="1"
    HELPER_SSH_PORT="removed"

    # Common inbound (ingress) TCP ports
    IG_TCP_CPORTS="removed"
    IG_UDP_CPORTS="removed"
    IG_ICMP_TYPES="removed"
    EGF="1"
    EG_TCP_CPORTS="removed"
    EG_UDP_CPORTS="removed"

    EG_ICMP_TYPES="all"

    # UID-Match outbound (egress) TCP ports
    EG_TCP_UID=""

    # UID-Match outbound (egress) UDP ports
    EG_UDP_UID=""
    EG_DROP_CMD=""

    ##
    # [Remote Rule Imports]
    DLIST_PHP="0"

    DLIST_PHP_URL="rfxn.com/downloads/php_list"
    DLIST_PHP_URL_PROT="http"
    DLIST_SPAMHAUS="0"

    DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
    DLIST_SPAMHAUS_URL_PROT="http"
    DLIST_DSHIELD="0"

    DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
    DLIST_DSHIELD_URL_PROT="http"
    DLIST_RESERVED="0"

    DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
    DLIST_RESERVED_URL_PROT="http"
    DLIST_ECNSHAME="0"

    DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst"
    DLIST_ECNSHAME_URL_PROT="http"

    # Global Trust
    USE_RGT="0"

    GA_URL="yourhost.com/glob_allow.rules"
    GA_URL_PROT="http"

    GD_URL="yourhost.com/glob_deny.rules"
    GD_URL_PROT="http"

    ##
    # [Logging and control settings]
    LOG_DROP="0"

    # What log level should we send all log data too?
    # refer to man syslog.conf for levels
    LOG_LEVEL="crit"
    LOG_TARGET="LOG"
    LOG_IA="0"

    # Log all foreign gateway traffic
    LOG_LGATE="0"

    LOG_EXT="0"
    LOG_RATE="10"

    LOG_APF="/var/log/apf_log"

    ##
    # [Import misc. conf]
    ##
    # Internal variable file
    CNFINT="$INSTALL_PATH/internals/internals.conf"
    . $CNFINT

  9. #9
    Join Date
    Apr 2005
    Posts
    1,767
    I would agree, upgrade to CSF.

  10. #10
    Join Date
    Nov 2005
    Posts
    78
    ok, will do! thank you)

Similar Threads

  1. Need someone who can stop this DDos attack/botnet
    By Shazz in forum Systems Management Requests
    Replies: 5
    Last Post: 09-08-2008, 10:16 PM
  2. How I can Stop DDOS Attack?
    By Cyru$ in forum Hosting Security and Technology
    Replies: 12
    Last Post: 08-27-2008, 04:23 PM
  3. Now I can stop DDos Attack after all
    By Abdo-sa in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-09-2007, 06:52 PM
  4. Replies: 60
    Last Post: 04-30-2007, 03:38 AM
  5. DDOS attack! What else can I do to stop this haxor?
    By one1coolone1 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 10-01-2004, 03:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •