LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   DDos attack - prevention (http://www.linuxquestions.org/questions/linux-security-4/ddos-attack-prevention-728903/)

dheeraj4uuu 05-27-2009 02:09 PM

DDos attack - prevention
 
Hello,

My site is being attacked by hackers of DDos attack...I tried mod_evasive, mod_security, APF , DDos deflate...and none showed any results...Because the hacker is using multiple ip's

like

Code:

222.166.160.4
222.166.160.24
222.166.160.21
222.166.160.66
222.166.160.69
222.166.160.35


66.235.124.56
66.235.124.57
66.235.124.58
66.235.124.59
66.235.124.55
66.235.124.132

etc....For now i blocked those ip's in iptables....But i think this not the correct solution....As what if the hacker has changed the IP's ?? Again i have to block them....If he did the attack when iam not there...then no one wil look at it...and my site goes down..

So please tell me any working solution for this....

Waiting for replies.....

saavik 05-27-2009 04:30 PM

What service ( port ) are they accessing ? 80 (http) ?

chrism01 05-27-2009 07:41 PM

By the looks of it, there are at least 2 things you can do:

1. block ip ranges, using just the 1st 3 parts of the ip (using fail2ban tool ?)
2. since these are in range blocks, find the ISP responsible and notify them, with any info they want.

mlnutt 05-28-2009 07:41 AM

You should report the attack to the organization that the IP is registered to. In the case of your first set of IPs the offending ISP is in Hong Kong. Your second set is in the USA.

You can use `whois' or http://ws.arin.net/whois/ to find the registered owner of the IP and (usually) and abuse@ email address.

Send the offending source IP, the target IP (yours), the port, your time zone and comprehensive log reports. This is the information the ISP needs to deal with the offender.

If more people would report abuse rather than ignoring it the ISPs might do something about their abusing clients.

I generally report all SPAM, attempted relaying, port scanning, and other attacks to ISPs I think will do something about the infraction; an ISP in Bulgaria, China, etc I generally ignore and simply ban their entire IP range or I ban the entire country.

As my servers are personal and not professional I can afford to ban all of Asia, Croatia, Roadrunner.com, etc


All times are GMT -5. The time now is 11:06 AM.