Lots of attacks on my server

[astra]

Hi,

I gonna crazy here :S last 3 weeks i am under attack with syn floodings and other stuff .
The server have use already 80.96Mbit 95% datatraffic.

This is what i run on the server:

APF + BFD + DDOS + RKhunter + CHKrootkit + ELS + MODsecurity

And have check /var/tmp /tmp /dev/shm but see no strange things.
I hope you can help me.

Kind regards.

rem

 

[tillo]

There is no way to limit incoming traffic while under DDoS attack, unless you have access to a gateway router or hardware firewall.
What you can do is limit the impact this attack has on your server, by setting kernel TCP/IP values accordingly and dropping any incoming malicious packet: this last one is important if your system is answering in any way to the attack, wasting resources and bandwidth.

Check your traffic graphs: if you see a very large incoming line but "normal" outgoing line, it means that APF, mod_security2 and other security settings are already taking care of the useless replies, and you can't do much else.
If the attack costs you in terms of month traffic or your server is slowed down contact your datacenter support for help, they can probably stop the DDoS from reaching your box.

 

[astra]

I have check my cacti stats and its a lots of inbound traffic on the eth0 of the server see the screenshot http://www.mediafire.com/imageview.php?quickkey=zorh2ge2jyu&thumb=5

 

[tillo]

If you always had an averge of 0.1Mbps in output, it means that your server probably doesn't answer to the DDoS, and this is very good.
If the link is unmetered and your server doesn't seem to be slowed down by the DDoS I guess you can just forget about it (or possibly begin to harvest IP addresses and send mass abuse email messages).

 

[astra]

Oke this is good to hear, do you know how i can fix the larger traffic peaks from the server?

 

[tillo]

There is no "fixing" them unless you have access to a distribution or core router in your datacenter.