LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hello / DDoS attacks (http://www.linuxquestions.org/questions/linux-security-4/hello-ddos-attacks-770452/)

cybernet2u 11-20-2009 10:47 AM

Hello / DDoS attacks
 
i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked :banghead: for over a week:cry: )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported:cry:
if necessary and i will be more protected I will move on CentOS 5.4 or so

thanks in advance,
cybernet

win32sux 11-20-2009 11:42 AM

Quote:

Originally Posted by cybernet2u (Post 3764009)
i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked :banghead: for over a week:cry: )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported:cry:
if necessary and i will be more protected I will move on CentOS 5.4 or so

Could you provide a detailed description of the attack you're experiencing?

cybernet2u 11-20-2009 02:59 PM

hmmm....
 
all i know is when i try to access my site i get a 503 Error ( service unavailable ) or the message ( too many conections )

this is what i have on running process on webmin

sorry for the long process list but i wanna know how serious is this :mad:

Code:

6477        root        21:55        /usr/sbin/apache2 -k start
      6478        root        21:55        vlogger (access log)
      6480        root        21:55        vlogger (access log)
      6483        www-data        21:55        /usr/sbin/apache2 -k start
        7068        www-data        21:56        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client2/web4 -d upload_tmp_dir ...
        7114        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7115        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7116        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7117        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7118        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7119        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7121        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7124        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7129        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7130        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7132        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7134        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7135        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7138        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7147        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7169        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7232        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7264        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7266        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7268        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7270        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7272        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
        7274        www-data        21:58        /usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
      6557        www-data        21:55        /usr/sbin/apache2 -k start
      6558        www-data        21:55        /usr/sbin/apache2 -k start
      6559        www-data        21:55        /usr/sbin/apache2 -k start
      6560        www-data        21:55        /usr/sbin/apache2 -k start
      6561        www-data        21:55        /usr/sbin/apache2 -k start
      6564        www-data        21:55        /usr/sbin/apache2 -k start
      6591        www-data        21:55        /usr/sbin/apache2 -k start
      6592        www-data        21:55        /usr/sbin/apache2 -k start
      6597        www-data        21:55        /usr/sbin/apache2 -k start
      6598        www-data        21:55        /usr/sbin/apache2 -k start
      6599        www-data        21:55        /usr/sbin/apache2 -k start
      6600        www-data        21:55        /usr/sbin/apache2 -k start
      6601        www-data        21:55        /usr/sbin/apache2 -k start
      6603        www-data        21:55        /usr/sbin/apache2 -k start
      6604        www-data        21:55        /usr/sbin/apache2 -k start
      6606        www-data        21:55        /usr/sbin/apache2 -k start
      6607        www-data        21:55        /usr/sbin/apache2 -k start
      6639        www-data        21:55        /usr/sbin/apache2 -k start
      6699        www-data        21:55        /usr/sbin/apache2 -k start
      6700        www-data        21:55        /usr/sbin/apache2 -k start
      6712        www-data        21:55        /usr/sbin/apache2 -k start
      6713        www-data        21:55        /usr/sbin/apache2 -k start
      6714        www-data        21:55        /usr/sbin/apache2 -k start
      6715        www-data        21:55        /usr/sbin/apache2 -k start
      6732        www-data        21:55        /usr/sbin/apache2 -k start
      6734        www-data        21:55        /usr/sbin/apache2 -k start
      6735        www-data        21:55        /usr/sbin/apache2 -k start
      6736        www-data        21:55        /usr/sbin/apache2 -k start
      6737        www-data        21:55        /usr/sbin/apache2 -k start
      6738        www-data        21:55        /usr/sbin/apache2 -k start
      6861        www-data        21:55        /usr/sbin/apache2 -k start
      6862        www-data        21:55        /usr/sbin/apache2 -k start
      6868        www-data        21:55        /usr/sbin/apache2 -k start
      6869        www-data        21:55        /usr/sbin/apache2 -k start
      6870        www-data        21:55        /usr/sbin/apache2 -k start
      6871        www-data        21:55        /usr/sbin/apache2 -k start
      6919        www-data        21:56        /usr/sbin/apache2 -k start
      6920        www-data        21:56        /usr/sbin/apache2 -k start
      6929        www-data        21:56        /usr/sbin/apache2 -k start
      6930        www-data        21:56        /usr/sbin/apache2 -k start
      6931        www-data        21:56        /usr/sbin/apache2 -k start
      6947        www-data        21:56        /usr/sbin/apache2 -k start
      6948        www-data        21:56        /usr/sbin/apache2 -k start
      6949        www-data        21:56        /usr/sbin/apache2 -k start
      6950        www-data        21:56        /usr/sbin/apache2 -k start
      6951        www-data        21:56        /usr/sbin/apache2 -k start
      6952        www-data        21:56        /usr/sbin/apache2 -k start
      6953        www-data        21:56        /usr/sbin/apache2 -k start
      6954        www-data        21:56        /usr/sbin/apache2 -k start
      6964        www-data        21:56        /usr/sbin/apache2 -k start
      6975        www-data        21:56        /usr/sbin/apache2 -k start
      6976        www-data        21:56        /usr/sbin/apache2 -k start
      6981        www-data        21:56        /usr/sbin/apache2 -k start
      6982        www-data        21:56        /usr/sbin/apache2 -k start
      6983        www-data        21:56        /usr/sbin/apache2 -k start
      6984        www-data        21:56        /usr/sbin/apache2 -k start
      6986        www-data        21:56        /usr/sbin/apache2 -k start
      6991        www-data        21:56        /usr/sbin/apache2 -k start
      6992        www-data        21:56        /usr/sbin/apache2 -k start
      6994        www-data        21:56        /usr/sbin/apache2 -k start
      6995        www-data        21:56        /usr/sbin/apache2 -k start
      6996        www-data        21:56        /usr/sbin/apache2 -k start
      6997        www-data        21:56        /usr/sbin/apache2 -k start
      7000        www-data        21:56        /usr/sbin/apache2 -k start
      7001        www-data        21:56        /usr/sbin/apache2 -k start
      7002        www-data        21:56        /usr/sbin/apache2 -k start
      7004        www-data        21:56        /usr/sbin/apache2 -k start
      7006        www-data        21:56        /usr/sbin/apache2 -k start
      7019        www-data        21:56        /usr/sbin/apache2 -k start
      7052        www-data        21:56        /usr/sbin/apache2 -k start
      7060        www-data        21:56        /usr/sbin/apache2 -k start
      7061        www-data        21:56        /usr/sbin/apache2 -k start
      7062        www-data        21:56        /usr/sbin/apache2 -k start
      7063        www-data        21:56        /usr/sbin/apache2 -k start
      7064        www-data        21:56        /usr/sbin/apache2 -k start
      7065        www-data        21:56        /usr/sbin/apache2 -k start
      7066        www-data        21:56        /usr/sbin/apache2 -k start
      7093        www-data        21:57        /usr/sbin/apache2 -k start
      7094        www-data        21:57        /usr/sbin/apache2 -k start
      7095        www-data        21:57        /usr/sbin/apache2 -k start
      7096        www-data        21:57        /usr/sbin/apache2 -k start
      7097        www-data        21:57        /usr/sbin/apache2 -k start
      7098        www-data        21:57        /usr/sbin/apache2 -k start
      7099        www-data        21:57        /usr/sbin/apache2 -k start
      7100        www-data        21:57        /usr/sbin/apache2 -k start
      7101        www-data        21:57        /usr/sbin/apache2 -k start
      7102        www-data        21:57        /usr/sbin/apache2 -k start
      7103        www-data        21:57        /usr/sbin/apache2 -k start
      7104        www-data        21:57        /usr/sbin/apache2 -k start
      7105        www-data        21:57        /usr/sbin/apache2 -k start
      7106        www-data        21:57        /usr/sbin/apache2 -k start
      7120        www-data        21:58        /usr/sbin/apache2 -k start
      7122        www-data        21:58        /usr/sbin/apache2 -k start
      7123        www-data        21:58        /usr/sbin/apache2 -k start
      7125        www-data        21:58        /usr/sbin/apache2 -k start
      7126        www-data        21:58        /usr/sbin/apache2 -k start
      7127        www-data        21:58        /usr/sbin/apache2 -k start
      7128        www-data        21:58        /usr/sbin/apache2 -k start
      7131        www-data        21:58        /usr/sbin/apache2 -k start
      7146        www-data        21:58        /usr/sbin/apache2 -k start
      7153        www-data        21:58        /usr/sbin/apache2 -k start
      7154        www-data        21:58        /usr/sbin/apache2 -k start
      7174        www-data        21:58        /usr/sbin/apache2 -k start
      7175        www-data        21:58        /usr/sbin/apache2 -k start
      7176        www-data        21:58        /usr/sbin/apache2 -k start
      7177        www-data        21:58        /usr/sbin/apache2 -k start
      7256        www-data        21:58        /usr/sbin/apache2 -k start
      7258        www-data        21:58        /usr/sbin/apache2 -k start
      7260        www-data        21:58        /usr/sbin/apache2 -k start
      7261        www-data        21:58        /usr/sbin/apache2 -k start
      7262        www-data        21:58        /usr/sbin/apache2 -k start
      7263        www-data        21:58        /usr/sbin/apache2 -k start
      7273        www-data        21:58        /usr/sbin/apache2 -k start


Web31337 11-20-2009 08:39 PM

oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.

cybernet2u 11-21-2009 01:09 AM

Quote:

Originally Posted by Web31337 (Post 3764515)
oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.

yesterday log
http://fbx.ro/xl5mrsqspbme6908
* apache2 wasn't opened all day long 'cause my load was to high

please help

Web31337 11-21-2009 02:47 AM

but that's torrent tracker. or looks like it. never seen before.
what on earth did you mean by naming topic "ddos"?
it has nothing to do with ddos. even if someone here inserts spam queries i cannot see it.
maybe you are talking about that you have your site there and someone changed DNS of some popular torrent tracker and now it points on you? but then HTTP status is 200. so you are running torrent tracker? i can only guess, you didn't tell us anything. how can we analyze those logs?
anyway if you do run torrent tracker you need WIDE network link and tweaked server.

--
update: oh yes, i found referer from host-tracker which then points to xlist.ro which is known by google cache as torrent tracker.

i see no ddos. i see slow channel and server overload.

cybernet2u 11-21-2009 03:36 PM

...
 
so let me guess you're saying that my tracker got himself about 300 users over night ?

Web31337 11-21-2009 10:30 PM

yeah. is 300 users so big value?
i didn't get into log, at the first sight i see no "spam" requests or they are good masked as regular ones. sorry, i see no problems. the problem is either server is not well-tweaked or network channel overloaded.
even if it is not it's quite hard/impossible to extract from this log which queries are normal and which are not. maybe it just needs deeper look but 300 users as you counted doesn't seem a big value for me, it sounds pretty weird that your webserver can't manage that load.
if you specify the exact time where to look, i can review it again. 35M is quite a massive thingy i don't really want to get into without any pointers.


All times are GMT -5. The time now is 09:39 AM.