LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-09-2011, 10:20 AM   #1
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Rep: Reputation: 16
DDOS, please help!


I'm really tired of this for one week i'm dealing with this issue

I've a vps with 512mb ram which is enough to handle my website users

I moved my server to a provider with CISCO firewall but that didn't help

I moved from apache to nginx with nginx limit-http-requests module but that didn't help

Also i was tried apache with mod_evasive, result was failure.

I set iptables to accept only established and related connections, that didn't do any good.

Attacks are to port 80. Problem is not bandwidth, problem is there's a lot of connections so the ram become full and vps could't handle any connections, event i can't make ssh connection.

Example netstat -avpn result is here after as soon as making web server (nginx) online:
https://docs.google.com/document/d/1...thkey=COCup6sM
And this is nothing, when i make the web server online for 10 minutes there are dozens of those ips

What can i do? Can I do anything at all? Yes I've already told the isp about this and they'll look into but my old isp could't do anything except null routing my vps's ip.

I'm really tired of it, too angry, too weak to deal with more... Do you have any suggestions?

Note: if publishing those ips is not allowed by forum rules please pm me, but i'm gonna remove them after i get rid of this problem anyway.

Last edited by Seregwethrin; 02-09-2011 at 10:25 AM.
 
Old 02-09-2011, 10:27 AM   #2
iuselinux
LQ Newbie
 
Registered: Sep 2010
Posts: 23

Rep: Reputation: 4
You sure its a DDoS and not a DoS?

Try switching to litespeed web server, they are supposedly good with (D)DoS
 
Old 02-09-2011, 10:33 AM   #3
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
It may be DoS but there's definitely more then 1 ip. Maybe not thousands of ips but more than 1 and they are from different locations, from even different cities.
 
Old 02-09-2011, 10:35 AM   #4
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 249Reputation: 249Reputation: 249
Whoa, wait a sec.
According to that file, only the following IPs are throwing the bad traffic;
(Location Data pulled from http://www.geoiptool.com)
Code:
78.162.28.14   (Unknown Hostname)              Antalya, Turkey (Long: 30.6897, Lat: 36.9125)
78.166.122.127 (Unknown Hostname)               Mersin, Turkey (Long: 34.6442, Lat: 36.7328)
78.188.30.155  (dsl78.188-7835.ttnet.net.tr)  Istanbul, Turkey (Long: 28.9647, Lat: 41.0186)
78.188.50.142  (dsl78.188-12942.ttnet.net.tr) Istanbul, Turkey (Long: 28.9647, Lat: 41.0186)
Now you can either use iptables to drop all incoming traffic from these guys, or you can use something like blockhosts.
"Moving" your server does nothing if they're following your Domain Name. Depending on your ISP for security is like depending on a Car Salesman to change your oil.
 
Old 02-09-2011, 10:40 AM   #5
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
But they have dynamic ip addresses. They are using classic adsl. Probably they are some jerk teenagers who keep changing their ips.

Also I moved my server because I need a more secure datacenter and the old isp did't make any help for dealing with the attack. So I didn't move the server to block attack, I moved because of for better protection. But as situation states, I didn't get.

Last edited by Seregwethrin; 02-09-2011 at 10:44 AM.
 
Old 02-09-2011, 11:01 AM   #6
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Check it out, new ips
https://docs.google.com/document/d/1...thkey=CNPHyP4L

I get those netstat result as soon as opening nginx. Maybe one second passed.

I have to close nginx after because if I not those connections increases.
 
Old 02-09-2011, 11:03 AM   #7
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 249Reputation: 249Reputation: 249
There's a few options for dealing with those kinds of people.

1) Blockhosts to cut them off (that's what I use).
I setup each of my webservers to ban an IP for one month when it receives two errors from the webserver.
2) Start blocking whole IP Ranges that they're coming from.
(I've attached every IP range assigned to Turkey)
3) Limit every IP address to 10 connections to port 80 (via iptables)
(I'm looking up how to do this now...saw it in an LQ thread once)

NOTE: They may be doing more to you than just (D)DoS'ing. Check the logs for your other services (especially SSH!).
Attached Files
File Type: txt TR_IP_Ranges.txt (21.5 KB, 2 views)
 
Old 02-09-2011, 11:05 AM   #8
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 249Reputation: 249Reputation: 249
Checking out the file now, however a few questions about how the site is built.

1) Is this a MySQL+PHP site? (aka: Does it have a lot of Dynamic content)
2) How much (if any) of the site is static pages?
3) Are you using this site to generate income, or is this a pet-project (how critical is this?)
 
Old 02-09-2011, 11:11 AM   #9
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 249Reputation: 249Reputation: 249
You must have seriously pissed-off the Turks
Just kidding, but all those IPs are Turkish except for one.
Code:
188.56.230.69 - Unknown. Probably a spoof.
Anything in your access logs?
 
Old 02-09-2011, 11:12 AM   #10
jcalzare
Member
 
Registered: Aug 2009
Location: Chicago
Distribution: CentOS
Posts: 114

Rep: Reputation: 34
You could try blocking the addresses allocated to Turkey. Here's a list of CIDR addresses from http://www.countryipblocks.net/country-blocks/
If you block them all for a while, the attackers will probably move on.

Edit: Ack nevermind. xeleema already attached a list while I was typing. My post is now less obnoxiously long

Last edited by jcalzare; 02-09-2011 at 11:14 AM.
 
Old 02-09-2011, 11:16 AM   #11
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
They can't be doing more to me because I've two ips and I use one to connect to ftp ssh etc, and the other has only port 80 open. They couldn't have known the other ip. I set restrictions via iptables.

Well I can't block ips from Turkey because my website is for Turkish gamers.

And yes it's a php mysql website, actually it is vbulletin forum just like here. To be more specific it's a website (moreover it's a forum) for world of warcraft turkish gamers but it's the biggest in turkish language. Of course the forum has its competitors and probably they are responsible.

There is like no static pages. Every page is php.

And no I'm not getting any a income. Yes I get something in return at avg 150-200$ dollars in a month but I'm giving more then I get as time and work basis. I just don't want to close it because it is useful to people, I don't use it actually, I even don't play games. I opened it in while I was still in high school 6 yeas ago so it has a nostalgic history for me too.

Last edited by Seregwethrin; 02-09-2011 at 11:26 AM.
 
Old 02-09-2011, 11:28 AM   #12
jcalzare
Member
 
Registered: Aug 2009
Location: Chicago
Distribution: CentOS
Posts: 114

Rep: Reputation: 34
Well, in that case it sounds like it's not worth investing serious monetary resources into keeping this thing online through the attack. I would suggest replacing your index.php with a simple html maintenance page. This will keep the website online, and the attackers will eventually just give up, as they shouldn't be able to overwhelm the server resources when you have a simple page up.
 
Old 02-09-2011, 11:29 AM   #13
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 249Reputation: 249Reputation: 249
Sounds like an awesome site, let's see if we can give these PFY's a run for their efforts. However...
Do NOT assume they don't know the other IP. Be sure to check your logs for any SSH login attempts. They could be trying to distract you with a (D)DoS while they attempt to take over the server.

Code:
#Detect DoS attack by limiting to 12 connections/sec
iptables -N syn-flood
iptables -A syn-flood -m limit --limit=12/s --limit-burst 24 -j RETURN
iptables -A syn-flood -j DROP
WARNING: Be careful with iptables! You can lock yourself out of your box if you're not careful.

EDIT: This LQ thread has a good post

Last edited by xeleema; 02-09-2011 at 11:32 AM.
 
1 members found this post helpful.
Old 02-09-2011, 11:50 AM   #14
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
@xeleema

Thanks I applied iptable rules.

Well we can see the ips, why there's no software to check them for example every minute and block them? I still didn't dig into BlockHosts but I'll definitely. I hope it does what I want and works with nginx.

And I checked netstat with your iptables rules. I still can see hundreds of attacking ips but they look like they don't harm the server at least for now.
 
Old 02-09-2011, 01:24 PM   #15
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 249Reputation: 249Reputation: 249
So your site is up? Cool! (What's the address? I kinda wanna check out the site )
If there were any other helpful posts, be sure to click "Yes" in the bottom right-hand corner of those posts.
Also, if your problem has been solved, use "Thread Tools" at the very top of the page to mark this as [SOLVED].

EDIT: Blockhosts is used to parse log files and throw a ban on any IP that shows up in the logs.
I've not worked with nginx before, so I don't know if the connections from the "bad guys" are showing up a certain way. If they're doing something besides opening a bunch of connections, the logs should show it, so you can ban 'em.

Last edited by xeleema; 02-09-2011 at 01:26 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DDOS and pf sci3ntist Linux - Security 3 06-03-2010 03:48 PM
Hello / DDoS attacks cybernet2u Linux - Security 7 11-21-2009 10:30 PM
DDoS solution prudens Linux - Newbie 11 08-25-2009 09:38 PM
Ddos Mag|c Linux - Security 2 08-16-2003 10:41 PM
ddos attack ashis Linux - Security 1 06-14-2001 03:31 AM


All times are GMT -5. The time now is 07:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration