Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : need help with httpd ddos attack

[hikaro]

currently my servers under ddos attack, i check the access log and here are some of the output

HTML Code:

218.172.218.39 - - [20/Jan/2010:16:46:45 -0800] "POST /6xeeyco8ugvk HTTP/1.1" 200 18938 "http://www.MYDOMAIN.COM/6xeeyco8ugvk" "Mozilla/5.0 (Macintosh; U; 68K Mac OS X 10.5; en; rv:1.9.0.7) Gecko/1975101419 Firefox/3.0.7"
114.36.155.22 - - [20/Jan/2010:16:46:45 -0800] "GET /fugp7u60w9p5 HTTP/1.1" 200 13457 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10"
114.36.155.22 - - [20/Jan/2010:16:46:45 -0800] "GET /hgowoh6w03fo HTTP/1.1" 200 13457 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10"
114.36.155.22 - - [20/Jan/2010:16:46:45 -0800] "GET /6ylbxdiy1u3g HTTP/1.1" 200 13457 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042
113.160.130.113 - - [20/Jan/2010:16:46:45 -0800] "GET /vhjd4bfymqn7 HTTP/1.1" 200 13457 "-" "Mozilla/5.0 (X11; U; OpenBSD amd64; en-US; rv:1.8.1) Gecko/20091021 Firefox/2.0"
114.47.171.84 - - [20/Jan/2010:16:46:44 -0800] "POST /q2052v89jwge HTTP/1.1" 200 18853 "http://www.MYDOMAIN.COM/q2052v89jwge" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10"
114.24.144.127 - - [20/Jan/2010:16:46:45 -0800] "POST /zr45cr5htsiu HTTP/1.1" 302 0 "http://www.MYDOMAIN.COM/zr45cr5htsiu" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10"

from my thought, those botnet just try to GET or POST /xxxxxxxxxxxx which is x could be a-z A-Z or 0-9 and total characters are always 12 chars.
how could i prevent this by redirecting permanently to others site or block it ? perhaps using .htaccess method ?
this attack really makes me stress as they have tons of ips, its impossible for me to block one by one.

hope any experts here could help me, thank you in advance

[khunj]

You could use mod_security and drop such requests.

But I'm wondering why did your HTTP server return a 200 OK code ?

[hikaro]

yea i just realize it goes to members account, its a hash that redirect there. so it wont work to block using mod_security i guess, not sure how to block this now..

[LeaTrueman]

Hello,

Could you please check the number of connections using,

netstat -alpn | grep :80 | awk '{print $5}' | cut-d: -f1 | sort | uniq -c | sort -n

Then configure CSF on your server and set a connection limit in CSF according to the above output.

[inspiron]

Check the output of the following command,

netstat -n | grep :80 | grep SYN |wc -l

If the connections are more than 100, then you are having trouble with SYNC attack on the server.

[madaboutlinux]

Right, check out if you are receiving a SYN attack and modify the "SYN_FLOOD" parameter accordingly. CSF "connection limit" option may not be of any help instead it will block legit requests if set incorrectly.

BTW, as requested earlier by other guys here, what is the output of?

Quote:

netstat -alpn | grep :80 | awk '{print $5}' | cut-d: -f1 | sort | uniq -c | sort -n

Quote:

netstat -n | grep :80 | grep SYN |wc -l

[khunj]

I can't be a SYN flood (Apache wouldn't log it).


@hikaro : can't you try to modify your hash ? Say, add one more character at the end. If your script needs to check it, it can truncate it and ignore that extra char. You could then drop those 12 char requests.

[hikaro]

i manage to block it by installing litespeed, not sure why nginx cant prevent it, perhaps my config is not correct.
Yes it is a httpd ddos, and its still flooding 2 of my servers.

@LeaTrueman: Csf not help much as the floods too much, i tried APF also with dos defelate and not help much. tried install PSAD as well, actually pretty good but too slow when block rapid connection.

@khunj: yes i can do that, will do after i got good configuration or something to block it.
change the hash is not good idea maybe, attacker could just simply follow what i do.

anyway, thanks all for the input. Really need the solution asap..

[madaboutlinux]

High density DDOS attacks are not easy to resist with software firewalls like CSF or APF. You will have to look for a Hardware firewall for a long term solution.

[hikaro]

yes i know, but i dont think its worth it to buy now, and yes its good for long term solution.
any recommendation about the hardware ? i heard toplayer has a good one.

[Crashus]

synflood and finwait timeouts can be usually tuned via sysctl, what is your OS?