hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Ddos Attack, csf: DENY_IP_LIMIT (100)
Reply

Forum Jump

Ddos Attack, csf: DENY_IP_LIMIT (100)

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
Angry

Ddos Attack, csf: DENY_IP_LIMIT (100)


Hello,

Am getting Dossed, and still.

I run this command

Code:
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk
and it's show me this list of ip's

Code:
      1 0.0.0.0
      1 117.200.2.199
      1 122.162.130.104
      1 125.167.58.26
      1 15.211.169.107
      1 188.132.103.230
      1 188.132.21.26
      1 188.132.22.142
      1 188.132.4.161
      1 188.132.75.225
      1 188.161.128.220
      1 188.161.206.221
      1 188.161.227.248
      1 188.161.238.75
      1 188.161.241.55
      1 188.248.152.85
      1 188.248.57.193
      1 188.48.197.219
      1 188.48.22.85
      1 188.48.27.17
      1 188.48.31.66
      1 188.48.67.229
      1 188.49.123.17
      1 188.49.57.18
      1 188.49.75.117
      1 188.50.109.49
      1 188.50.35.167
      1 188.50.48.35
      1 188.50.65.122
      1 188.50.65.154
      1 188.50.83.118
      1 188.50.8.87
      1 188.51.14.108
      1 188.51.40.78
      1 188.51.88.139
      1 188.51.97.124
      1 188.52.100.22
      1 188.52.10.179
      1 188.52.111.76
      1 188.52.26.214
      1 188.52.6.138
      1 188.52.75.180
      1 188.52.82.17
      1 195.189.143.55
      1 195.229.241.173
      1 196.1.219.162
      1 196.12.236.112
      1 196.12.236.19
      1 196.12.242.147
      1 196.1.232.104
      1 196.205.228.10
      1 196.205.232.17
      1 196.206.185.120
      1 196.206.203.185
      1 196.206.224.61
      1 196.217.31.89
      1 196.217.36.63
      1 196.217.64.169
      1 198.36.32.137
      1 212.11.160.150
      1 212.116.219.110
      1 212.118.119.113
      1 212.118.123.249
      1 212.118.140.227
      1 212.118.140.230
      1 212.118.140.232
      1 212.118.140.233
      1 212.118.142.228
      1 212.118.142.229
      1 212.118.142.74
      1 212.215.152.110
      1 212.62.97.20
      1 213.166.134.177
      1 213.178.224.168
      1 213.188.81.213
      1 213.236.48.96
      1 213.236.52.108
      1 213.6.122.163
      1 213.6.210.170
      1 213.6.220.7
      1 213.6.255.139
      1 213.6.68.124
      1 213.6.72.127
      1 213.6.75.85
      1 213.6.80.51
      1 213.6.86.21
      1 213.6.93.125
      1 217.194.135.6
      1 41.100.148.66
      1 41.102.27.164
      1 41.102.41.67
      1 41.103.168.124
      1 41.105.114.219
      1 41.105.22.190
      1 41.130.31.148
      1 41.196.224.192
      1 41.196.246.235
      1 41.196.80.60
      1 41.201.168.163
      1 41.201.39.231
      1 41.205.120.252
      1 41.209.112.162
      1 41.209.113.50
      1 41.209.75.253
      1 41.214.174.91
      1 41.214.179.216
      1 41.218.14.148
      1 41.218.31.180
      1 41.224.99.190
      1 41.225.176.33
      1 41.226.206.215
      1 41.232.118.182
      1 41.232.169.113
      1 41.233.198.253
      1 41.233.6.245
      1 41.234.145.30
      1 41.234.229.84
      1 41.235.101.206
      1 41.235.1.210
      1 41.235.239.121
      1 41.236.240.163
      1 41.237.169.19
      1 41.237.37.240
      1 41.238.151.79
      1 41.238.61.158
      1 41.238.69.232
      1 41.249.47.233
      1 41.250.224.66
      1 41.251.101.54
      1 41.251.93.115
      1 41.252.204.9
      1 41.252.232.134
      1 41.252.250.121
      1 41.254.1.138
      1 41.254.2.29
      1 41.254.2.53
      1 41.98.31.152
      1 59.126.52.78
      1 62.117.46.221
      1 62.120.149.250
      1 62.120.190.180
      1 62.120.220.195
      1 62.120.234.11
      1 62.120.254.167
      1 62.251.188.72
      1 62.61.164.141
      1 62.61.164.158
      1 62.61.164.217
      1 62.90.200.246
      1 65.55.106.139
      1 65.55.107.181
      1 72.30.81.187
      1 77.30.66.187
      1 77.30.70.41
      1 77.31.0.1
      1 77.31.152.139
      1 77.31.16.15
      1 77.31.64.205
      1 77.31.70.100
      1 77.31.72.64
      1 77.31.75.242
      1 77.42.154.106
      1 77.64.45.194
      1 78.101.112.34
      1 78.101.51.18
      1 78.101.71.233
      1 78.93.103.99
      1 78.93.109.250
      1 78.93.111.156
      1 78.93.76.211
      1 78.93.90.154
      1 79.172.131.31
      1 79.172.136.197
      1 79.172.163.169
      1 79.172.167.93
      1 79.173.236.209
      1 79.181.219.81
      1 79.183.133.165
      1 81.192.12.116
      1 81.192.174.189
      1 81.192.184.160
      1 82.116.136.254
      1 82.167.27.76
      1 82.167.28.42
      1 82.178.171.25
      1 82.198.27.70
      1 82.201.215.88
      1 83.244.109.254
      1 84.202.39.231
      1 84.22.224.100
      1 85.195.186.69
      1 86.108.109.26
      1 86.108.30.93
      1 86.60.31.109
      1 86.60.37.194
      1 86.60.45.129
      1 86.60.51.125
      1 86.60.78.130
      1 86.60.88.75
      1 86.62.20.230
      1 86.96.226.87
      1 86.96.226.88
      1 86.96.226.89
      1 86.96.226.93
      1 86.96.227.88
      1 86.96.227.89
      1 86.96.227.93
      1 86.96.228.84
      1 86.96.228.87
      1 86.96.229.85
      1 86.96.229.88
      1 87.101.138.187
      1 87.109.135.17
      1 87.109.137.163
      1 87.109.139.93
      1 87.109.174.97
      1 87.109.215.159
      1 87.109.232.8
      1 87.109.243.161
      1 89.108.9.128
      1 89.203.6.108
      1 89.5.114.71
      1 89.5.41.241
      1 89.5.5.30
      1 90.206.42.226
      1 90.233.139.102
      1 91.142.51.35
      1 91.142.51.36
      1 91.142.51.37
      1 91.142.51.38
      1 91.142.51.41
      1 91.142.57.220
      1 91.142.61.244
      1 91.144.1.38
      1 91.186.244.49
      1 92.132.174.161
      1 92.241.62.102
      1 92.48.38.245
      1 92.48.44.25
      1 92.48.50.70
      1 92.48.6.136
      1 93.109.62.199
      1 93.191.178.139
      1 93.98.2.44
      1 93.98.25.240
      1 93.98.71.218
      1 94.249.3.101
      1 94.249.3.97
      1 94.79.197.40
      1 94.79.205.121
      1 94.96.102.58
      1 94.96.123.95
      1 94.96.143.63
      1 94.96.191.167
      1 94.96.240.20
      1 94.96.54.48
      1 94.96.64.48
      1 94.96.74.12
      1 94.96.86.41
      1 94.97.100.232
      1 94.97.104.68
      1 94.97.120.67
      1 94.98.100.121
      1 94.98.25.225
      1 94.98.62.119
      1 94.98.98.44
      1 94.99.5.231
      1 95.170.210.4
      2 188.132.28.43
      2 188.161.147.63
      2 188.249.47.106
      2 188.48.14.45
      2 188.49.58.253
      2 188.50.30.140
      2 188.50.36.177
      2 188.51.43.254
      2 188.51.70.1
      2 188.52.13.180
      2 188.52.94.134
      2 196.1.252.226
      2 196.217.36.177
      2 212.118.140.228
      2 212.118.142.77
      2 212.119.90.10
      2 212.162.130.92
      2 213.6.225.237
      2 213.6.228.92
      2 213.6.237.103
      2 213.6.245.124
      2 213.6.66.136
      2 213.6.69.114
      2 213.6.69.76
      2 213.6.82.26
      2 41.200.187.109
      2 41.205.107.174
      2 41.209.72.188
      2 41.232.227.176
      2 41.238.59.29
      2 41.250.200.137
      2 41.254.0.246
      2 62.120.225.3
      2 62.120.56.243
      2 62.120.93.65
      2 77.237.36.246
      2 77.30.14.92
      2 77.30.57.30
      2 77.31.103.136
      2 77.31.83.194
      2 78.93.121.248
      2 78.93.91.163
      2 79.172.157.141
      2 79.214.181.105
      2 80.197.107.206
      2 82.114.160.34
      2 83.136.61.188
      2 84.22.225.219
      2 84.22.245.194
      2 84.235.73.20
      2 84.235.73.21
      2 84.235.75.19
      2 86.60.86.187
      2 86.96.226.90
      2 86.96.227.86
      2 86.96.229.84
      2 86.96.229.90
      2 87.109.167.250
      2 87.109.240.182
      2 87.109.66.70
      2 87.109.68.2
      2 89.108.18.163
      2 89.5.15.183
      2 91.142.59.36
      2 93.186.20.122
      2 94.249.70.79
      2 94.96.227.186
      2 94.96.242.104
      2 94.98.119.33
      2 94.98.92.32
      2 94.99.99.87
      2 95.84.72.50
      3 188.132.30.91
      3 188.161.228.99
      3 212.116.219.112
      3 213.6.68.104
      3 218.128.117.54
      3 41.209.112.78
      3 77.31.22.158
      3 77.64.120.158
      3 77.64.32.13
      3 78.110.3.32
      3 82.114.160.31
      3 82.114.160.36
      3 84.235.75.20
      3 86.108.50.89
      3 86.60.66.28
      3 86.60.72.190
      3 86.62.31.90
      3 86.96.227.91
      3 86.96.228.93
      3 88.213.26.36
      3 88.213.58.3
      3 94.96.181.217
      3 94.96.23.116
      4 188.51.74.239
      4 193.188.105.20
      4 41.235.235.177
      4 41.238.14.8
      4 41.249.114.191
      4 41.97.32.176
      4 72.30.79.92
      4 77.30.57.33
      4 77.30.58.102
      4 79.172.181.100
      4 81.192.180.213
      4 84.235.75.18
      4 87.109.158.159
      4 94.97.2.228
      4 94.98.117.54
      4 94.99.25.138
      4 94.99.89.43
      5 41.130.9.161
      5 41.201.195.150
      5 86.60.64.34
      6 196.217.97.190
      6 82.194.62.200
     11 77.30.126.101
and i blocked them with csf v4.76 the last version.

i Installed this 2;
Code:
cd /usr/local;pwd
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

nano /usr/local/ddos/ddos.conf
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=50
now when i try to add ip's to csf deny list it's give me this error...

Code:
root@server [/home/]# /usr/sbin/csf -d 94.249.44.40
csf: DENY_IP_LIMIT (100), the following IP's were removed from /etc/csf/csf.deny:
41.205.107.174
Adding 94.249.44.40 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  94.249.44.40  -> 0.0.0.0/0
DROP  all opt -- in * out !lo  0.0.0.0/0  -> 94.249.44.40
root@server [/home/]#
It's mean that the deny list had more than 100 ip's and every ip i add it there it's remove an old ip... i need something helpfull for this kind of attack, Please help guys !



Sponsored Links
  #2  
Old
Web Hosting Evangelist
 
Join Date: Jun 2006
Location: Cluj Napoca
Posts: 468
well, it's useless to add IPs to CSF deny list. You can easily add them to iptables directly but if this is a real ddos you will end up adding too many IPs and still not solving your issue. Does that ddos lead to too many apache childs that eat all your memory ?

Also, if you know for sure this is a real DDOS ignore every advice that will follow about mod_dosevasive and other scripts that won't help in that case.

__________________
IntoDNS - Check your DNS health and configuration
IntoVPS - US Fremont and Dallas;EU - Netherlands and Romania VPS hosting

  #3  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
Hello Christi4n, i search before i wrote this topic and i found your advice in other topic, what am doing now as you advice before in some old topic for this comment

Code:
    * install and configure CSF - check the config file carefully
    * run the netstat command above to see if a few IPs are the main source of attack and block with "csf -d IP" as above
    * tweak kernel constants such as net.ipv4.tcp_syncookies, net.ipv4.tcp_max_syn_backlog, and net.ipv4.tcp_synack_retries
    * reduce Apache timeout (/etc/httpd/conf/httpd.conf "Timeout 100") to harden against slowloris
now should i add these ip's in iptables ? or csf deny.list ?? i think it's same.. ( not sure actually )..

and The server is good it's can handle it i think becouse there is just 1 website, and the server is detecated not vps, and the load there is 2.5%.. so what am looking for is there any method how to complete this step;

Code:
tweak kernel constants such as net.ipv4.tcp_syncookies, net.ipv4.tcp_max_syn_backlog, and net.ipv4.tcp_synack_retries
Thanks!

Sponsored Links
  #4  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
and is there any script could show/explane from were this attack come from ??

i look at the log msg

Code:
root@server [/home]# tail -f /var/log/messages
Aug 27 11:19:38 server pure-ftpd: (__cpanel__service__auth__ftpd__w_DxE4EHQw3xxxxvuBna2xkZggRXI4weJKuJpsKLM5FHUJBzRow6X@127.0.0.1) [INFO] Logout.
Aug 27 11:21:43 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:30:48:da:57:exxx:72:9a:00:08:00 SRC=8x.214.1x3.21 DST=9xx.31.8x.83 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=30916 PROTO=UDP SPT=1203 DPT=17167 LEN=28
Aug 27 11:24:26 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 27 11:24:37 server pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__6Df4C5l0xZNIuCsXNLpAl4ItAswbHdKHhthXCnUD68xi0PVcRwa0th4AnuU_Pmgu is now logged in
Aug 27 11:24:38 server pure-ftpd: (__cpanel__service__auth__ftpd__6Df4C5l0xZNIuCsXNLpAl4ItAswbHdKHhthXCnUD68xi0PVcRwa0th4AnuU_Pmgu@127.0.0.1) [INFO] Logout.
Aug 27 11:29:03 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ffxxx0 SRC=xxx1.216 DST=255.255.255.255 LEN=29 TOS=0x00 PREC=0x00 TTL=128 ID=10633 PROTO=UDP SPT=1061 DPT=1434 LEN=9
Aug 27 11:29:29 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 27 11:29:40 server pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__9VpllQ8Iy8mT3YF61YMSPz5_4zjIS7p4jsUYgiUaoV5HfEEn5u3qH6mEKEtnZJoD is now logged in
Aug 27 11:29:40 server pure-ftpd: (__cpanel__service__auth__ftpd__9VpllQ8Iy8mT3YF61YMSPz5_4zjIS7p4jsUYgiUaoV5HfEEn5u3qH6mEKEtnZJoD@127.0.0.1) [INFO] Logout.
Aug 27 11:29:42 server kernel: Firewall: *ICMP_IN Blocked* IN=eth0 OUT= MAC=00:30:48:da:xx:e8:00:xx:80:xx:9a:00:08:00 SRC=116.197.128.58 DST=96.31.85.86 LEN=48 TOS=0x00 PREC=0x00 TTL=43 ID=7708 DF PROTO=ICMP TYPE=8 CODE=0 ID=51810 SEQ=7198


Last edited by boxer; 08-27-2009 at 11:31 AM.
  #5  
Old
Web Hosting Evangelist
 
Join Date: Jun 2006
Location: Cluj Napoca
Posts: 468
well, that is the thing with those ddos attacks. If I would be able to know the source I would probably reach that guy myself (usually a kid) and.... But you can't really find out who is behind a ddos. What you can do is to mitigate that ddos and the attacker will give up after he will be convinced he can't get you down.

For a ddos there is no script you can use that will solve your problem. Also blocking those IPs in your firewall won;t really help, I suspect that most of those IPs are real visitors since they only have 1 or 2 connections.

Also how big is the number of IPs you see when you run that command (the one with netstat) ?

csf is a perl script that will (sort of) manage iptables and automates a few things. You can increase the IP limit to more than 100 by changing DENY_IP_LIMIT in /etc/csf/csf.conf

If that is a ddos (I don't see anything that looks like a ddos from what you posted) you can use nginx for example as a reverse proxy to lower the number of apache children created since a ddos will only send our syns a.s.o.

Also you should check to see if those are real requests to apache or just syns.

__________________
IntoDNS - Check your DNS health and configuration
IntoVPS - US Fremont and Dallas;EU - Netherlands and Romania VPS hosting

  #6  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
i run this command

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

it's show me that list, so i should ( JUST ) Deny the ip's who have more than 1 + 2 connection to my server ?

  #7  
Old
Support Facility
 
Join Date: Jun 2009
Posts: 2,317
Limit the no of the IPs in the /etc/csf/csf.deny files,

Raise the limit on the number of IP addresses you keep permanently banned. Replace 100 with the number of your choice.
Code:
DENY_IP_LIMIT = "100"

Raise the limit on the number of IP addresses you keep temporarily banned. Replace 100 with your new limit.
Code:
DENY_TEMP_IP_LIMIT = "100"

__________________
Support Facility | 24/7 web hosting technical support services
Technical support | Server management | Data migration

Technical Articles

  #8  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
I did it, what about the /etc/csf.deny ip's ? should i remove them or keep them there ?

  #9  
Old
Web Hosting Evangelist
 
Join Date: Jun 2006
Location: Cluj Napoca
Posts: 468
well, can you also post the output of:
netstat -plan|grep :80 | grep ESTABLISHED | wc -l
and
netstat -plan|grep :80 | wc -l
?

__________________
IntoDNS - Check your DNS health and configuration
IntoVPS - US Fremont and Dallas;EU - Netherlands and Romania VPS hosting

  #10  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
Code:
root@server [/home]# netstat -plan|grep :80 | grep ESTABLISHED | wc -l
26
root@server [/home]# netstat -plan|grep :80 | wc -l
258
root@server [/home]#

  #11  
Old
Web Hosting Evangelist
 
Join Date: Jun 2006
Location: Cluj Napoca
Posts: 468
well that looks pretty normal, especially for a dedicated server and it should not cause any problems. Do you have load problems on that server or how did you reach the conclusion you have a ddos ?

__________________
IntoDNS - Check your DNS health and configuration
IntoVPS - US Fremont and Dallas;EU - Netherlands and Romania VPS hosting

  #12  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
Code:
0.25 (2 cpus)
I don't think so.. so by the way, is there any script to monitor the server from ddos, ( know from were the attacks come from ) else look at ip2location.com manually ..?

  #13  
Old
Web Hosting Evangelist
 
Join Date: Jun 2006
Location: Cluj Napoca
Posts: 468
even if you find the IP location it won't help you at all. Also, you do not have a ddos on that server, everything looks normal. Probably there are some scripts to get an IP location but those scripts will only consume time and they won't work ok under a real ddos and won't help you either.

What is wrong with your server now and why do you think you are under a ddos ?

__________________
IntoDNS - Check your DNS health and configuration
IntoVPS - US Fremont and Dallas;EU - Netherlands and Romania VPS hosting

  #14  
Old
Aspiring Evangelist
 
Join Date: Sep 2008
Location: NewYork
Posts: 436
Now everything is normal, but "why" i think it's a ddos becouse the server was working fine, and get down one time, and back, i ping the server ip and it's look like timout sometimes and sometimes getting okay ( replaying ), after i login to the server i run some command to check the ips connected to the server and it's show me all this ip list, that's all, i contact with hivelcity dc to check out the server and monitor it and they well replay back shortly, hope everything going fine, and Thank you alot Cristi4n for your help. i'll be back with the dc monitor soon.

  #15  
Old
Aspiring Evangelist
 
Join Date: Mar 2009
Location: /home/khunj
Posts: 398
If it doesn't ping there might be another reason. Ping is a ICMP protocole, but those IPs connected to your port 80 are using TCP protocole
Next time, try to find out what they are doing (connection state) :

netstat -nt | grep ':80 ' | awk '{print $6}' | sort | uniq -c

__________________
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
DENY_IP_LIMIT csf v4.63 crazyaboutlinux Hosting Security and Technology 5 04-14-2009 10:46 AM
Ddos attack Nassou Dedicated Server 13 11-17-2008 01:48 AM
DDOS ATTACK hellman Hosting Security and Technology 12 10-10-2008 04:24 AM
DDOS Attack BlueCapacity Running a Web Hosting Business 10 10-25-2004 02:07 PM
What is a DDOS Attack exactly? Scout Web Hosting 6 11-06-2003 06:31 PM

Related posts from TheWhir.com
Title Type Date Posted
How Prepared are You for the Changing DDoS Landscape? Here’s 5 Must-Knows for Every Service Provider Webinars 2014-12-09 16:06:57
DDoS Attack Hits Australian ISP Cirrus Communications Web Hosting News 2014-08-01 12:29:18
DDoS Attack Targets 123-reg Customer, Impacts Shared Hosting Sites Web Hosting News 2014-05-01 08:33:46
The Cloud Is Under Siege; How Can I Protect It From DDoS Attacks? Webinars 2014-06-10 10:55:46
.CN Domain Service Restored Following Massive DDoS Attack Web Hosting News 2013-08-26 17:03:15


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?