Results 1 to 24 of 24
  1. #1

    Massive DDOS - Urgent Help Needed

    I'm not very good at server administration, I stick to WHM, but my server is now experiencing a DDOS that hasn't seized up at all. My server is brought to it's knees. Can anyone give any advice?

  2. #2
    Join Date
    Mar 2009
    Location
    /usr/bin/perl
    Posts
    971
    depending on how large "massive" is a tipping point firewall might mitigate the impact this has on your servers.

    Beyond that, the only solution is incredibly expensive hardware specifically designed to filter out nasty traffic, which only specialized data centers have.

    Edit: also, if you notice that the bad traffic is all coming from specific regions, you can mass-blacklist ip's in your firewall, dropping all packets from those regions instantly.
    Last edited by e-Sensibility; 08-10-2009 at 01:03 AM.

  3. #3
    Join Date
    Oct 2007
    Location
    India
    Posts
    67
    Hello,

    You can use this command to check the IPs from which the attack is coming .

    netstat -anp|grep tcp|awk '{print $5}'| cut -d : -f1 | sort | uniq -c | sort -n
    based on the result blacklist the ip in server firewall


    Also You can use this script to prevent ddos attack .


    #!/bin/bash
    # Finding out which all ips making coneection and also the number of connection from an IP
    #make a file counter in the same location as this script and and add entries in each line..
    #the script will run as number of times as the number of lines in the file
    for j in `cat ./counter`
    do
    echo "Round="$j
    netstat -anp|grep tcp|awk '{print $5}'| cut -d : -f1 | sort | uniq -c | sort -n|grep -v 127.0.0.1|grep -v 0.0.0.0 > connections
    ####Finding the number of entries in the file and storing it to a file#####
    n=`cat ./connections|wc -l`

    #echo $n

    ####Finding top five connection making IPs #####
    a=`expr $n - 1`
    b=`expr $n - 2`
    c=`expr $n - 3`
    d=`expr $n - 4`
    #echo $a
    #echo $b
    #echo $c
    #echo $d

    ##### Filtering out the number of connections ####

    top1=`sed -n ''$n'p' connections|awk '{print $1}'`
    #echo $top1
    top2=`sed -n ''$a'p' connections|awk '{print $1}'`
    top3=`sed -n ''$b'p' connections|awk '{print $1}'`
    top4=`sed -n ''$c'p' connections|awk '{print $1}'`
    top5=`sed -n ''$d'p' connections|awk '{print $1}'`

    ##The below given part of code checks the top 5 high connections makers and if they are
    # making more than 50 connections then they will be blocked and the loop exits from the
    # script once any of the top connection maker is making less than 50 connections

    if test $top1 -gt 50

    then
    sed -n ''$n'p' connections|awk '{print $2}' >>blocked
    sed -n ''$n'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi


    ##### filtering out the top five connection making ips #####
    sed -n ''$n'p' connections|awk '{print $2}'
    sed -n ''$a'p' connections|awk '{print $2}'
    sed -n ''$b'p' connections|awk '{print $2}'
    sed -n ''$c'p' connections|awk '{print $2}'
    sed -n ''$d'p' connections|awk '{print $2}'

    if test $top2 -gt 50
    then
    sed -n ''$a'p' connections|awk '{print $2}' >>blocked
    sed -n ''$a'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi

    if test $top3 -gt 50
    then
    sed -n ''$b'p' connections|awk '{print $2}' >>blocked
    sed -n ''$b'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi

    if test $top4 -gt 50
    then
    sed -n ''$c'p' connections|awk '{print $2}' >>blocked
    sed -n ''$c'p' connections|awk '{print $2}'|xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi

    if test $top5 -gt 50
    then
    sed -n ''$d'p' connections|awk '{print $2}' >>blocked
    sed -n ''$d'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi
    echo "Completed round "$j
    /etc/init.d/csf restart
    echo " "
    #sleep 10
    done
    Regards,
    Alan John

  4. #4
    Join Date
    Jul 2009
    Posts
    178
    Best solution is to install DOS-Deflate which stops all attacks on all ports.

  5. #5
    Join Date
    Nov 2002
    Posts
    1,468
    Wow, about the script, does it really work?
    All life is an experiment. The more experiments you make the better.

  6. #6
    Yes it sees which IP's have multiple connections then bans them from the server. You need to be able to connect to ssh though

  7. #7
    Join Date
    Mar 2009
    Posts
    245
    Quote Originally Posted by Wulex View Post
    Wow, about the script, does it really work?
    Yes it does.Some people says how csf firewall can do same thing,but don't know how.

  8. #8
    Join Date
    Mar 2009
    Location
    /usr/bin/perl
    Posts
    971
    Never used Csf but you can easily accomplish this with iptables, which will be on any Linux box, or pf on *bsd

  9. #9
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by roguehosting View Post
    Yes it does.Some people says how csf firewall can do same thing,but don't know how.
    Might misunderstand your post, but the script posted above is using CSF.

    p/s when using that script i would first rewrite it so that file locations are bit better defined; this might get confusing.
    Last edited by 040Hosting; 08-10-2009 at 09:13 AM. Reason: added remark about script.

  10. #10
    Join Date
    Mar 2009
    Posts
    245
    Quote Originally Posted by 040Hosting View Post
    Might misunderstand your post, but the script posted above is using CSF.

    p/s when using that script i would first rewrite it so that file locations are bit better defined; this might get confusing.
    Dos deflate is using APF,not CSF.

  11. #11
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by roguehosting View Post
    Dos deflate is using APF,not CSF.
    Sorry, but i thought you were mentioning the script shown in this post and that you where answering someones question regarding that script.

    From my point of view alanzkorner's post was the one Wulex (which you quoted) was about. Hence my confusion.
    Last edited by 040Hosting; 08-10-2009 at 10:28 AM. Reason: pressed send way to fast.

  12. #12
    Join Date
    Jun 2008
    Location
    India
    Posts
    261
    script is cool could you include rules to block exim usage too??
    Ranjith
    Light travels faster thn sound.This is why some people look bright until you actually hear them speak

  13. #13
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    LFD (part of csf) reads the logs and blackholes malicious users based on the specifications that you enter in the configuration. There is a rigid set of standard rules.

    Honestly though unless it's a small ddos iptables / etc wont do you much good. but then again if you can ssh into the box it's a small dos attack and not an actual botnet.

  14. #14
    Join Date
    Dec 2008
    Location
    Florida
    Posts
    1,052
    CSF is currently the best free firewall solution out there, if you have any sort of knowledge at all you'll know how to set it up, because it has a pretty WHM Control Panel.

    It takes several hours to get everything perfect though, and just because you do not pass all the security checks it has, doesn't mean your server is insecure. You want a minimum of a 100 on your server's security score though. Once you install CSF, you'll know what I mean.

    As for DDoS attacks, unless your fairly large your dealing with a small attack from a script kiddie. He's probably just flooding you with packets, so scan the connections and set it so that it bans anyone who uses over 150 connections at one time.
    *WARNING: When DL'ing files from FTP, each file is a connection, so be careful with that number.
    Not sure what to put here :-P

  15. #15
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,282
    hello and how can i run that scripts?

  16. #16
    Join Date
    Mar 2009
    Location
    Houston, TX
    Posts
    1,114
    It all depends on the size and type of attack. Just use proper software configs/firewalls such as CSF and, if needed, transfer to a DDoS protected network. There are several out there that are decent.
    Charles W. @ Nexeon Technologies, Inc. - Have a question? PM or email me directly! - c[@]nexeon.com
    Dedicated servers, colocation, cloud, game servers, on-site & remote DDoS protection, and more! Managed options available.
    Data Centers in Chicago, New York, & more! IPv4 and IPv6 available! Contact us for data center buildout & network consultation.
    InstantDedis.com - Instantly delivered dedicated servers located in Chicago, New York, and Dallas.

  17. #17
    Join Date
    Dec 2008
    Location
    Florida
    Posts
    1,052
    Quote Originally Posted by neXeon View Post
    It all depends on the size and type of attack. Just use proper software configs/firewalls such as CSF and, if needed, transfer to a DDoS protected network. There are several out there that are decent.
    They are also quite expensive and could cost you thousands of dollars a month.
    Not sure what to put here :-P

  18. #18
    Join Date
    Mar 2009
    Location
    Houston, TX
    Posts
    1,114
    We have utilized several different DDoS protected networks that have filtered/blocked large botnet attacks. The price is about the same as a normal server on a normal network. I doubt that additional hardware firewalls, etc, would be needed.
    Charles W. @ Nexeon Technologies, Inc. - Have a question? PM or email me directly! - c[@]nexeon.com
    Dedicated servers, colocation, cloud, game servers, on-site & remote DDoS protection, and more! Managed options available.
    Data Centers in Chicago, New York, & more! IPv4 and IPv6 available! Contact us for data center buildout & network consultation.
    InstantDedis.com - Instantly delivered dedicated servers located in Chicago, New York, and Dallas.

  19. #19
    Join Date
    Jun 2008
    Location
    India
    Posts
    261
    You may either run it manually or set cron for it
    Ranjith
    Light travels faster thn sound.This is why some people look bright until you actually hear them speak

  20. #20
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,282
    hello and how can i run that scripts?

  21. #21
    Join Date
    Mar 2009
    Posts
    245
    Quote Originally Posted by nimafire View Post
    hello and how can i run that scripts?
    Which scripts?Csf and ddos deflate?

  22. #22
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,282
    i mean this script:

    Quote Originally Posted by alanzkorner View Post
    Hello,


    #!/bin/bash
    # Finding out which all ips making coneection and also the number of connection from an IP
    #make a file counter in the same location as this script and and add entries in each line..
    #the script will run as number of times as the number of lines in the file
    for j in `cat ./counter`
    do
    echo "Round="$j
    netstat -anp|grep tcp|awk '{print $5}'| cut -d : -f1 | sort | uniq -c | sort -n|grep -v 127.0.0.1|grep -v 0.0.0.0 > connections
    ####Finding the number of entries in the file and storing it to a file#####
    n=`cat ./connections|wc -l`

    #echo $n

    ####Finding top five connection making IPs #####
    a=`expr $n - 1`
    b=`expr $n - 2`
    c=`expr $n - 3`
    d=`expr $n - 4`
    #echo $a
    #echo $b
    #echo $c
    #echo $d

    ##### Filtering out the number of connections ####

    top1=`sed -n ''$n'p' connections|awk '{print $1}'`
    #echo $top1
    top2=`sed -n ''$a'p' connections|awk '{print $1}'`
    top3=`sed -n ''$b'p' connections|awk '{print $1}'`
    top4=`sed -n ''$c'p' connections|awk '{print $1}'`
    top5=`sed -n ''$d'p' connections|awk '{print $1}'`

    ##The below given part of code checks the top 5 high connections makers and if they are
    # making more than 50 connections then they will be blocked and the loop exits from the
    # script once any of the top connection maker is making less than 50 connections

    if test $top1 -gt 50

    then
    sed -n ''$n'p' connections|awk '{print $2}' >>blocked
    sed -n ''$n'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi


    ##### filtering out the top five connection making ips #####
    sed -n ''$n'p' connections|awk '{print $2}'
    sed -n ''$a'p' connections|awk '{print $2}'
    sed -n ''$b'p' connections|awk '{print $2}'
    sed -n ''$c'p' connections|awk '{print $2}'
    sed -n ''$d'p' connections|awk '{print $2}'

    if test $top2 -gt 50
    then
    sed -n ''$a'p' connections|awk '{print $2}' >>blocked
    sed -n ''$a'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi

    if test $top3 -gt 50
    then
    sed -n ''$b'p' connections|awk '{print $2}' >>blocked
    sed -n ''$b'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi

    if test $top4 -gt 50
    then
    sed -n ''$c'p' connections|awk '{print $2}' >>blocked
    sed -n ''$c'p' connections|awk '{print $2}'|xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi

    if test $top5 -gt 50
    then
    sed -n ''$d'p' connections|awk '{print $2}' >>blocked
    sed -n ''$d'p' connections|awk '{print $2}' |xargs csf -d
    else
    #rm -rf ./connections
    #rm -rf ./blocked
    exit
    fi
    echo "Completed round "$j
    /etc/init.d/csf restart
    echo " "
    #sleep 10
    done

  23. #23
    Join Date
    Mar 2009
    Location
    /usr/bin/perl
    Posts
    971
    If you are paying regular prices then you are obviously not on a truly DDoS protected network.

    The hardware alone, just for DDoS protection, not even the rest of the network, usually costs at least 500k at the entry levels.

    Quote Originally Posted by neXeon View Post
    We have utilized several different DDoS protected networks that have filtered/blocked large botnet attacks. The price is about the same as a normal server on a normal network. I doubt that additional hardware firewalls, etc, would be needed.

  24. #24
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Quote Originally Posted by jarrodsl View Post
    The hardware alone, just for DDoS protection, not even the rest of the network, usually costs at least 500k at the entry levels.
    That's an incorrect statement but it is very expensive. The hardware is a big cost and the actual bandwidth needed to handle a real attack, is highly expensive in itself.

    You can spend a half million but there are providers competing in the realm of being 'top' ddos protected networks using OpenBSD configurations. You don't have to invest in ridiculously expensive appliances. Even then, as I mentioned, still need big pipes

    He could be paying a little higher than normal price for good DDOS protection. Although, for custom configurations with dynamic rules, etc. You're looking at $1500/month+
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

Similar Threads

  1. Seeking urgent 1 or 2 people for massive joboffer + 1 partner
    By kwakkwak in forum Employment / Job Offers
    Replies: 5
    Last Post: 10-10-2007, 08:10 AM
  2. URGENT: ddos mitigation
    By NWSTech in forum Dedicated Server
    Replies: 9
    Last Post: 09-30-2007, 04:33 PM
  3. Massive DDoS
    By ThomasO in forum Hosting Security and Technology
    Replies: 16
    Last Post: 09-18-2007, 06:28 AM
  4. Massive DDoS Attack on DNS Root Servers
    By ITWeb LLC in forum Domain Names
    Replies: 0
    Last Post: 02-10-2007, 09:46 AM
  5. DDos / Hitbot Attack? Urgent help?
    By Matrix_Neo in forum Hosting Security and Technology
    Replies: 11
    Last Post: 12-14-2006, 05:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •