Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Help - How to prevent DDoS attacks?

[Phatmat]

I believe that my site is being DDoSed against, and I'm wondering how I can prevent this from happening.

I'm running CentOS 5.3.

Are there any server side scripts of PHP scripts that could be used to dynamically block out IP's that are consuming too many resources on the VPS?

- Matt.

[Chris Isaac]

Consider installing Dos_deflate. It will help you blocking DDos to a certain extend. By blocking the IP's which exceeds a threshold value specified.

[Thomas Manning]

Hello,

Use the following command from the shell to find the IP's that have large number of connection with the server.

"netstat -plan|grep :80|awk '{print $5}'|cut -d: -f 1|sort|uniq -c|sort -n"

[W1zzard]

also check the logs for a large number of repeated hits to the same url spaced a short time apart

[logicsupport]

Hi,

You can confirm whether the server is under DDOS attack using the below script.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

( The above script will give the total number of http connections to the port 80 )

If you are confirmed the server is under DDOS attack then you need to made some tweaks on your server , just like

1) Install mod security
2) Install dos evasive
3 ) Harden the sysctl parameters (kernel params) to mitigate the current attack.
4 ) Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.
5) Also you need to run some scripts to monitor the server and block the ip's if it cause DDOS
6) Check for specious process and files using latest scanning tools

[Cristi4n]

logicsupport, not to be rude since we try to help Phatmat but if he is under a DDOS (not DOS) then installing mod_security and dos_evasive will not help at all and will only waste time for him.
Also you cannot block the ip that causes the DDOS since a DDOS is a distributted DOS (multiple ips, usually many).

hardening (more of tuning because it's not really hardening) sysctl will help.
If indeed you are getting a DDOS on port 80 (apache) please let us know.
If it's only a DOS then that can be solved quickly.

[Phatmat]

Quote:

Originally Posted by Cristi4n

logicsupport, not to be rude since we try to help Phatmat but if he is under a DDOS (not DOS) then installing mod_security and dos_evasive will not help at all and will only waste time for him.
Also you cannot block the ip that causes the DDOS since a DDOS is a distributted DOS (multiple ips, usually many).

hardening (more of tuning because it's not really hardening) sysctl will help.
If indeed you are getting a DDOS on port 80 (apache) please let us know.
If it's only a DOS then that can be solved quickly.

I don't believe that it would be a major attack. From my knowledge, a member was banned on my forum for breaking the rules, and got back at us by DDoSing, I don't think he would be using anything too major.

Though, how would I check if they are attacking on port 80? At the moment I've got no access to my VPS, since SSH is down and the servers unpingable. I'm waiting for my hosts to reboot it - I suppose my main issue is how to prevent this banned user taking down my forum again. Once it's back online I'll try to get some of those mods installed listed above.

Thanks for all the quick help guys.

[logicsupport]

Phatmat,

Thank you for the update.

Mod_security and Mod_dosevasive ( to prevent Dos ) will help to prevent vulnerable activities in the server. Its always better to install these modules on your server. Also do the security tweaks we have mentioned once load become normal.

==> " Though, how would I check if they are attacking on port 80? "

You can confirm this using the following script , just execute this in the shell

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1


DDOS is Distributed Dos, means the attack from different sources. We can block such source ip's using scripts like Dos_deflate ( Chris Isaac, already mentioned that ). Actually it is ( D)Dos_deflate. Also install a firewall such as CSF and confirm all the unwanted ports are closed.

Please note that DDOS cant be prevented completely. But it can control using some customized scripts.

[Cristi4n]

Phatmat, let us know when the VPS is online and you have checked to see if you are getting a dos or a ddos.

logicsupport, he is on a VPS, installing a lot of modules without a reson will not help at all. dos_deflate is a waste of time for a true ddos not just 2 IP's flooding something. It's useless to get into details right now about this.
mod_security is ok but Pathman should know what he is doing and his problem doesn't seem very related to what mod_security can protect against.

Batter to wait for Pathman to let us know when the server is online.

[whrss]

Dear Phatmat,

You will get a handful of DDOS mitigation tools. But I would suggest you to analyze the current attack (monitor the traffic, intensity and nature), using tools like tcpdump, iptraf etc and then take steps to prevent it.

[inspiron]

Using given below command will use to check incoming and the outgoing connections on server.

netstat -na | grep 'tcp\|udp' | awk '{ print $4}' | cut -d: -f2 | sort | uniq -c | awk '{print $2}'


You can block the IPs by getting the csf firewall installed on the server by using the command,

# csf -d ipadress

[Phatmat]

When I install ddos_deflate (http://deflate.medialayer.com/), what should the download directory be?

All they say is:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

What directory should this be downloaded into?

[logicsupport]

Hi Phatmat,

You can download the script to /usr/local and execute the script. This will automatically create a cron job and will monitor the connections.


cd /usr/local
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Also you can customize the script for your use. For example

vi /usr/local/ddos/ddos.conf
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=50

[Phatmat]

Quote:

Originally Posted by logicsupport

Hi Phatmat,

You can download the script to /usr/local and execute the script. This will automatically create a cron job and will monitor the connections.


cd /usr/local
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Also you can customize the script for your use. For example

vi /usr/local/ddos/ddos.conf
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=50

Is there any way to know whether the script will function for sure? I know, from experience, that when I install things like this they generally don't run first try - meaning my server will possibly get taken down again.

My plan is to move to a new VPS host in a day or two, resetting up my server with many more security measures. Though, it's my first time doing so, and was wondering if anyone could help me check the security of my VPS? I'm going to be running DirectAdmin with CentOS 5.3 (VPS has 512mb RAM).

- Matt.

[logicsupport]

If you would like someone to have a look at that, I would suggest you can post your requirement in the system management request section in WHT. Here's the link:-

http://www.webhostingtalk.com/forumdisplay.php?f=140

I am sure, there would be many who would offer you assistance there.