Strange DDos!

K

Kestas

Verified User
Joined
Feb 17, 2006
Messages
15
Hello,

I have apache 1.3.3.7

i'm geting lots unique user ddosing my server. about 205 requests/sec - 26.4 kB/second - 132 B/request

accses.log:


88.118.181.10 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
82.135.238.30 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.118.245.9 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.118.229.70 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.118.125.76 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.119.23.221 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.119.5.232 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.119.6.9 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
88.118.6.12 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"
82.135.213.91 - - [11/Mar/2007:00:02:16 +0100] "GET / HTTP/1.1" 200 4007 "-" "-"

mod_dosevasive not helping, cause its about 300 maybe even more unique ips, they doing max conection in apache it is about 450 and load not high, but apache ddosed, i think "-" "-" is user agent ? Any ideas how sto stop it. how to secure server
 
Last edited:
put their class B network into your IP tables like so:

/sbin/iptables -A INPUT -s 88.118.0.0/16 -j DROP

do the same for the 82.xxx.xxx.xxx
 
its about now 700 request in sec, random IP's almost all my country ISP ips

about 500 maybe more ips.... can i redirect them or do some other triks ?
 
You should firewall them off, as turnersloane suggests. His suggestion only works if you're running linux with a recent kernel. Otherwise use the firewall supplied with your server, or install one, or ask your upstream provider to firewall them off your server.

However, turnersloane didn't catch the multiple networks; you'll have to firewall off all of them.

There's really no easier way.

Jeff
 
try turn on syn cookies if it's not on already

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
Kestas said:
mod_dosevasive not helping, cause its about 300 maybe even more unique ips, they doing max conection in apache it is about 450 and load not high, but apache ddosed
Click to expand...
It is clear that your server is under TCP SYN Flooding. I hate to say this, but the only way to stop Syn Attack is a hardware firewall such as Cisco ASA or Guard. To learn more about attacks go to: http://servertune.com/kbase/security/attacks.html
 
Last edited:
if the attack is small, syn cookies can do the job, but if it's getting big like over 10,000 pps, yes, have to use hardware firewall...
 
You must log in or register to reply here.
Back
Top