LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   DDOS, please help! (http://www.linuxquestions.org/questions/linux-security-4/ddos-please-help-861624/)

Seregwethrin 02-09-2011 09:20 AM

DDOS, please help!
 
I'm really tired of this for one week i'm dealing with this issue

I've a vps with 512mb ram which is enough to handle my website users

I moved my server to a provider with CISCO firewall but that didn't help

I moved from apache to nginx with nginx limit-http-requests module but that didn't help

Also i was tried apache with mod_evasive, result was failure.

I set iptables to accept only established and related connections, that didn't do any good.

Attacks are to port 80. Problem is not bandwidth, problem is there's a lot of connections so the ram become full and vps could't handle any connections, event i can't make ssh connection.

Example netstat -avpn result is here after as soon as making web server (nginx) online:
https://docs.google.com/document/d/1...thkey=COCup6sM
And this is nothing, when i make the web server online for 10 minutes there are dozens of those ips

What can i do? Can I do anything at all? Yes I've already told the isp about this and they'll look into but my old isp could't do anything except null routing my vps's ip.

I'm really tired of it, too angry, too weak to deal with more... Do you have any suggestions?

Note: if publishing those ips is not allowed by forum rules please pm me, but i'm gonna remove them after i get rid of this problem anyway.

iuselinux 02-09-2011 09:27 AM

You sure its a DDoS and not a DoS?

Try switching to litespeed web server, they are supposedly good with (D)DoS

Seregwethrin 02-09-2011 09:33 AM

It may be DoS but there's definitely more then 1 ip. Maybe not thousands of ips but more than 1 and they are from different locations, from even different cities.

xeleema 02-09-2011 09:35 AM

Whoa, wait a sec.
According to that file, only the following IPs are throwing the bad traffic;
(Location Data pulled from http://www.geoiptool.com)
Code:

78.162.28.14  (Unknown Hostname)              Antalya, Turkey (Long: 30.6897, Lat: 36.9125)
78.166.122.127 (Unknown Hostname)              Mersin, Turkey (Long: 34.6442, Lat: 36.7328)
78.188.30.155  (dsl78.188-7835.ttnet.net.tr)  Istanbul, Turkey (Long: 28.9647, Lat: 41.0186)
78.188.50.142  (dsl78.188-12942.ttnet.net.tr) Istanbul, Turkey (Long: 28.9647, Lat: 41.0186)

Now you can either use iptables to drop all incoming traffic from these guys, or you can use something like blockhosts.
"Moving" your server does nothing if they're following your Domain Name. Depending on your ISP for security is like depending on a Car Salesman to change your oil.

Seregwethrin 02-09-2011 09:40 AM

But they have dynamic ip addresses. They are using classic adsl. Probably they are some jerk teenagers who keep changing their ips.

Also I moved my server because I need a more secure datacenter and the old isp did't make any help for dealing with the attack. So I didn't move the server to block attack, I moved because of for better protection. But as situation states, I didn't get.

Seregwethrin 02-09-2011 10:01 AM

Check it out, new ips
https://docs.google.com/document/d/1...thkey=CNPHyP4L

I get those netstat result as soon as opening nginx. Maybe one second passed.

I have to close nginx after because if I not those connections increases.

xeleema 02-09-2011 10:03 AM

1 Attachment(s)
There's a few options for dealing with those kinds of people.

1) Blockhosts to cut them off (that's what I use).
I setup each of my webservers to ban an IP for one month when it receives two errors from the webserver.
2) Start blocking whole IP Ranges that they're coming from.
(I've attached every IP range assigned to Turkey)
3) Limit every IP address to 10 connections to port 80 (via iptables)
(I'm looking up how to do this now...saw it in an LQ thread once)

NOTE: They may be doing more to you than just (D)DoS'ing. Check the logs for your other services (especially SSH!).

xeleema 02-09-2011 10:05 AM

Checking out the file now, however a few questions about how the site is built.

1) Is this a MySQL+PHP site? (aka: Does it have a lot of Dynamic content)
2) How much (if any) of the site is static pages?
3) Are you using this site to generate income, or is this a pet-project (how critical is this?)

xeleema 02-09-2011 10:11 AM

You must have seriously pissed-off the Turks :)
Just kidding, but all those IPs are Turkish except for one.
Code:

188.56.230.69 - Unknown. Probably a spoof.
Anything in your access logs?

jcalzare 02-09-2011 10:12 AM

You could try blocking the addresses allocated to Turkey. Here's a list of CIDR addresses from http://www.countryipblocks.net/country-blocks/
If you block them all for a while, the attackers will probably move on.

Edit: Ack nevermind. xeleema already attached a list while I was typing. My post is now less obnoxiously long :)

Seregwethrin 02-09-2011 10:16 AM

They can't be doing more to me because I've two ips and I use one to connect to ftp ssh etc, and the other has only port 80 open. They couldn't have known the other ip. I set restrictions via iptables.

Well I can't block ips from Turkey because my website is for Turkish gamers.

And yes it's a php mysql website, actually it is vbulletin forum just like here. To be more specific it's a website (moreover it's a forum) for world of warcraft turkish gamers but it's the biggest in turkish language. Of course the forum has its competitors and probably they are responsible.

There is like no static pages. Every page is php.

And no I'm not getting any a income. Yes I get something in return at avg 150-200$ dollars in a month but I'm giving more then I get as time and work basis. I just don't want to close it because it is useful to people, I don't use it actually, I even don't play games. I opened it in while I was still in high school 6 yeas ago so it has a nostalgic history for me too.

jcalzare 02-09-2011 10:28 AM

Well, in that case it sounds like it's not worth investing serious monetary resources into keeping this thing online through the attack. I would suggest replacing your index.php with a simple html maintenance page. This will keep the website online, and the attackers will eventually just give up, as they shouldn't be able to overwhelm the server resources when you have a simple page up.

xeleema 02-09-2011 10:29 AM

Sounds like an awesome site, let's see if we can give these PFY's a run for their efforts. However...
Do NOT assume they don't know the other IP. Be sure to check your logs for any SSH login attempts. They could be trying to distract you with a (D)DoS while they attempt to take over the server.

Code:

#Detect DoS attack by limiting to 12 connections/sec
iptables -N syn-flood
iptables -A syn-flood -m limit --limit=12/s --limit-burst 24 -j RETURN
iptables -A syn-flood -j DROP

WARNING: Be careful with iptables! You can lock yourself out of your box if you're not careful.

EDIT: This LQ thread has a good post :)

Seregwethrin 02-09-2011 10:50 AM

@xeleema

Thanks I applied iptable rules.

Well we can see the ips, why there's no software to check them for example every minute and block them? I still didn't dig into BlockHosts but I'll definitely. I hope it does what I want and works with nginx.

And I checked netstat with your iptables rules. I still can see hundreds of attacking ips but they look like they don't harm the server at least for now.

xeleema 02-09-2011 12:24 PM

So your site is up? Cool! (What's the address? I kinda wanna check out the site :) )
If there were any other helpful posts, be sure to click "Yes" in the bottom right-hand corner of those posts.
Also, if your problem has been solved, use "Thread Tools" at the very top of the page to mark this as [SOLVED].

EDIT: Blockhosts is used to parse log files and throw a ban on any IP that shows up in the logs.
I've not worked with nginx before, so I don't know if the connections from the "bad guys" are showing up a certain way. If they're doing something besides opening a bunch of connections, the logs should show it, so you can ban 'em.


All times are GMT -5. The time now is 04:42 PM.