Results 1 to 9 of 9
  1. #1
    Join Date
    Oct 2004
    Posts
    76

    Angry So my website is being DDOS

    What can i do to prevent this after its over? I made a thread earlier.

    Admin noob here.


    Sigh.
    Your server is currently under attack. To prevent any collateral damage to the
    network we've blocked your IP addresses. When the attack subsides we will
    unblock them.
    GottaDeal.com - Hot Deals & Coupon Codes. Why Pay Retail?http://www.gottadeal.com/images/bann...eal-234x60.gif

  2. #2
    Join Date
    Apr 2005
    Posts
    1,711
    I see in your past thread, you had DNS issues. Maybe check /var/log/messages for DPT=53 iptables logs, and run 'rndc status' to check on your bind status. You could also enable query logging via 'rndc querylog'.
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  3. #3
    Join Date
    Oct 2004
    Posts
    76
    I have no folders in /var/log/

    and
    netstat -an |grep tcp|awk '{print $5}'|cut -d: -f1|sort|uniq -c|sort -n
    Is only showing


    [[email protected] ~]# netstat -an |grep tcp|awk '{print $5}'|cut -d: -f1|sort|uniq -c|sort -n
    1 209.208.90.6
    1 64.12.137.169
    1 64.12.138.153
    1 64.12.138.57
    2 205.188.159.216
    5
    14 0.0.0.0
    GottaDeal.com - Hot Deals & Coupon Codes. Why Pay Retail?http://www.gottadeal.com/images/bann...eal-234x60.gif

  4. #4
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Based on that netstat I would not say that you're under any DDoS. Perhaps you should consider other possibilities.

  5. #5
    Join Date
    Oct 2004
    Posts
    76
    Quote Originally Posted by IRCCo Jeff View Post
    Based on that netstat I would not say that you're under any DDoS. Perhaps you should consider other possibilities.
    I just remember the host is blocking every IP expect mine so netstat wouldn't show the attacking IP's now... would it? Well, is there anything i should do or can do to slow down the attacks?

    my ssecure log looks like this:
    Oct 4 07:31:23 srv sshd[8179]: Did not receive identification string from 75.144.254.25
    Oct 4 09:35:28 srv sshd[28172]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=m2.qianxun.com user=root
    Oct 4 09:35:30 srv sshd[28172]: Failed password for root from 122.200.82.162 port 57473 ssh2
    Oct 4 08:35:30 srv sshd[28173]: Received disconnect from 122.200.82.162: 11: Bye Bye
    Oct 4 09:35:32 srv sshd[28177]: Address 122.200.82.162 maps to m2.1000xun.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
    Oct 4 09:35:32 srv sshd[28177]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.200.82.162 user=root

    all the way to today. All attempts have failed expect my ip address.
    Last edited by Twista; 10-13-2009 at 08:43 PM.
    GottaDeal.com - Hot Deals & Coupon Codes. Why Pay Retail?http://www.gottadeal.com/images/bann...eal-234x60.gif

  6. #6
    Join Date
    Oct 2004
    Posts
    76
    looks like they havent got in by SSH, but the attacks are still coming to he server. I asked my host what kind of attacks, but i got no answer.
    GottaDeal.com - Hot Deals & Coupon Codes. Why Pay Retail?http://www.gottadeal.com/images/bann...eal-234x60.gif

  7. #7
    Join Date
    Oct 2009
    Location
    UK - London
    Posts
    73
    Hi,

    This would suggest that your host are saying you are under a DoS/DDoS attack, however, your netstat clearly shows that there isn't one (please note it gives live information, your netstat looks very similar to your previous one, you should run the command again to get new information). Unless they have now completely mitigated the attack (but it is still trying to attack you), it would seem like they are not completely clear on what the issue actually is.

    However, it is possible that someone is attacking you (DoS/DDoS) on the port that your BIND is on. You should have a look at some easy ways to protect yourself (particularly the BIND port). I would recommend this:

    http://deflate.medialayer.com/
    Guy Riese - Tech-Hosts Ltd. - Registered company in England & Wales (Based in UK - Europe)
    High quality & affordable Web Hosting, Reseller Hosting, Master Reseller Hosting, Linux VPS & Dedicated Servers
    Lowest priced domain names in the industry - instant registration and management

  8. #8
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Quote Originally Posted by Twista View Post
    looks like they havent got in by SSH, but the attacks are still coming to he server. I asked my host what kind of attacks, but i got no answer.
    Most hosts do not specialize in DDoS mitigation and will simply null route the IP space until the attack stops.

  9. #9
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by Twista View Post
    I just remember the host is blocking every IP expect mine so netstat wouldn't show the attacking IP's now...
    Look at your network stats :

    Code:
    # netstat -s
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

Similar Threads

  1. Replies: 3
    Last Post: 06-08-2009, 01:53 PM
  2. Replies: 0
    Last Post: 05-09-2009, 12:54 PM
  3. Replies: 7
    Last Post: 01-08-2009, 08:00 PM
  4. Suspected DDOS attack on one website
    By Tomcatf14 in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-02-2008, 08:18 AM
  5. Replies: 7
    Last Post: 01-17-2007, 12:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •