Hello / DDoS attacks
i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked :banghead: for over a week:cry: )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported:cry:
if necessary and i will be more protected I will move on CentOS 5.4 or so
thanks in advance,
all i know is when i try to access my site i get a 503 Error ( service unavailable ) or the message ( too many conections )
this is what i have on running process on webmin
sorry for the long process list but i wanna know how serious is this :mad:
oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.
* apache2 wasn't opened all day long 'cause my load was to high
but that's torrent tracker. or looks like it. never seen before.
what on earth did you mean by naming topic "ddos"?
it has nothing to do with ddos. even if someone here inserts spam queries i cannot see it.
maybe you are talking about that you have your site there and someone changed DNS of some popular torrent tracker and now it points on you? but then HTTP status is 200. so you are running torrent tracker? i can only guess, you didn't tell us anything. how can we analyze those logs?
anyway if you do run torrent tracker you need WIDE network link and tweaked server.
update: oh yes, i found referer from host-tracker which then points to xlist.ro which is known by google cache as torrent tracker.
i see no ddos. i see slow channel and server overload.
so let me guess you're saying that my tracker got himself about 300 users over night ?
yeah. is 300 users so big value?
i didn't get into log, at the first sight i see no "spam" requests or they are good masked as regular ones. sorry, i see no problems. the problem is either server is not well-tweaked or network channel overloaded.
even if it is not it's quite hard/impossible to extract from this log which queries are normal and which are not. maybe it just needs deeper look but 300 users as you counted doesn't seem a big value for me, it sounds pretty weird that your webserver can't manage that load.
if you specify the exact time where to look, i can review it again. 35M is quite a massive thingy i don't really want to get into without any pointers.
|All times are GMT -5. The time now is 12:51 AM.|