Massive DDOS - Urgent Help Needed

SaturnStar · #1 08-10-2009, 12:34 AM

I'm not very good at server administration, I stick to WHM, but my server is now experiencing a DDOS that hasn't seized up at all. My server is brought to it's knees. Can anyone give any advice?

e-Sensibility · #2 08-10-2009, 12:59 AM

depending on how large "massive" is a tipping point firewall might mitigate the impact this has on your servers.

Beyond that, the only solution is incredibly expensive hardware specifically designed to filter out nasty traffic, which only specialized data centers have.

Edit: also, if you notice that the bad traffic is all coming from specific regions, you can mass-blacklist ip's in your firewall, dropping all packets from those regions instantly.

alanzkorner · #3 08-10-2009, 02:29 AM

Hello,

You can use this command to check the IPs from which the attack is coming .

Quote:

netstat -anp|grep tcp|awk '{print $5}'| cut -d : -f1 | sort | uniq -c | sort -n

based on the result blacklist the ip in server firewall

Also You can use this script to prevent ddos attack .

Quote:

#!/bin/bash
# Finding out which all ips making coneection and also the number of connection from an IP
#make a file counter in the same location as this script and and add entries in each line..
#the script will run as number of times as the number of lines in the file
for j in `cat ./counter`
do
echo "Round="$j
netstat -anp|grep tcp|awk '{print $5}'| cut -d : -f1 | sort | uniq -c | sort -n|grep -v 127.0.0.1|grep -v 0.0.0.0 > connections
####Finding the number of entries in the file and storing it to a file#####
n=`cat ./connections|wc -l`

#echo $n

####Finding top five connection making IPs #####
a=`expr $n - 1`
b=`expr $n - 2`
c=`expr $n - 3`
d=`expr $n - 4`
#echo $a
#echo $b
#echo $c
#echo $d

##### Filtering out the number of connections ####

top1=`sed -n ''$n'p' connections|awk '{print $1}'`
#echo $top1
top2=`sed -n ''$a'p' connections|awk '{print $1}'`
top3=`sed -n ''$b'p' connections|awk '{print $1}'`
top4=`sed -n ''$c'p' connections|awk '{print $1}'`
top5=`sed -n ''$d'p' connections|awk '{print $1}'`

##The below given part of code checks the top 5 high connections makers and if they are
# making more than 50 connections then they will be blocked and the loop exits from the
# script once any of the top connection maker is making less than 50 connections

if test $top1 -gt 50

then
sed -n ''$n'p' connections|awk '{print $2}' >>blocked
sed -n ''$n'p' connections|awk '{print $2}' |xargs csf -d
else
#rm -rf ./connections
#rm -rf ./blocked
exit
fi

##### filtering out the top five connection making ips #####
sed -n ''$n'p' connections|awk '{print $2}'
sed -n ''$a'p' connections|awk '{print $2}'
sed -n ''$b'p' connections|awk '{print $2}'
sed -n ''$c'p' connections|awk '{print $2}'
sed -n ''$d'p' connections|awk '{print $2}'

if test $top2 -gt 50
then
sed -n ''$a'p' connections|awk '{print $2}' >>blocked
sed -n ''$a'p' connections|awk '{print $2}' |xargs csf -d
else
#rm -rf ./connections
#rm -rf ./blocked
exit
fi

if test $top3 -gt 50
then
sed -n ''$b'p' connections|awk '{print $2}' >>blocked
sed -n ''$b'p' connections|awk '{print $2}' |xargs csf -d
else
#rm -rf ./connections
#rm -rf ./blocked
exit
fi

if test $top4 -gt 50
then
sed -n ''$c'p' connections|awk '{print $2}' >>blocked
sed -n ''$c'p' connections|awk '{print $2}'|xargs csf -d
else
#rm -rf ./connections
#rm -rf ./blocked
exit
fi

if test $top5 -gt 50
then
sed -n ''$d'p' connections|awk '{print $2}' >>blocked
sed -n ''$d'p' connections|awk '{print $2}' |xargs csf -d
else
#rm -rf ./connections
#rm -rf ./blocked
exit
fi
echo "Completed round "$j
/etc/init.d/csf restart
echo " "
#sleep 10
done

eth10 · #4 08-10-2009, 03:16 AM

Best solution is to install DOS-Deflate which stops all attacks on all ports.

Wulex · #5 08-10-2009, 03:20 AM

Wow, about the script, does it really work?

0nijin · #6 08-10-2009, 04:54 AM

Yes it sees which IP's have multiple connections then bans them from the server. You need to be able to connect to ssh though

linuxfan · #7 08-10-2009, 08:33 AM

Quote:

Originally Posted by Wulex

Wow, about the script, does it really work?

Yes it does.Some people says how csf firewall can do same thing,but don't know how.

e-Sensibility · #8 08-10-2009, 08:59 AM

Never used Csf but you can easily accomplish this with iptables, which will be on any Linux box, or pf on *bsd

**040Hosting** · #9 08-10-2009, 09:12 AM

Quote:

Originally Posted by roguehosting

Yes it does.Some people says how csf firewall can do same thing,but don't know how.

Might misunderstand your post, but the script posted above is using CSF.

p/s when using that script i would first rewrite it so that file locations are bit better defined; this might get confusing.

linuxfan · #10 08-10-2009, 10:23 AM

Quote:

Originally Posted by 040Hosting

Might misunderstand your post, but the script posted above is using CSF.

p/s when using that script i would first rewrite it so that file locations are bit better defined; this might get confusing.

Dos deflate is using APF,not CSF.

**040Hosting** · #11 08-10-2009, 10:26 AM

Quote:

Originally Posted by roguehosting

Dos deflate is using APF,not CSF.

Sorry, but i thought you were mentioning the script shown in this post and that you where answering someones question regarding that script.

From my point of view alanzkorner's post was the one Wulex (which you quoted) was about. Hence my confusion.

rankris · #12 08-10-2009, 12:08 PM

script is cool could you include rules to block exim usage too??

Dave - Just199 · #13 08-10-2009, 02:10 PM

LFD (part of csf) reads the logs and blackholes malicious users based on the specifications that you enter in the configuration. There is a rigid set of standard rules.

Honestly though unless it's a small ddos iptables / etc wont do you much good. but then again if you can ssh into the box it's a small dos attack and not an actual botnet.

mooseweb · #14 08-11-2009, 07:44 AM

CSF is currently the best free firewall solution out there, if you have any sort of knowledge at all you'll know how to set it up, because it has a pretty WHM Control Panel.

It takes several hours to get everything perfect though, and just because you do not pass all the security checks it has, doesn't mean your server is insecure. You want a minimum of a 100 on your server's security score though. Once you install CSF, you'll know what I mean.

As for DDoS attacks, unless your fairly large your dealing with a small attack from a script kiddie. He's probably just flooding you with packets, so scan the connections and set it so that it bans anyone who uses over 150 connections at one time.
*WARNING: When DL'ing files from FTP, each file is a connection, so be careful with that number.

mixmox · #15 08-11-2009, 09:43 AM

hello and how can i run that scripts?

Massive DDOS - Urgent Help Needed

Sponsored Links

Advertise Here

Internet Services

Web Development

Digital Marketing

Consumer Tech