LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-20-2009, 09:47 AM   #1
cybernet2u
LQ Newbie
 
Registered: Aug 2009
Distribution: centos
Posts: 16

Rep: Reputation: 0
Angry Hello / DDoS attacks


i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked for over a week )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported
if necessary and i will be more protected I will move on CentOS 5.4 or so

thanks in advance,
cybernet
 
Old 11-20-2009, 10:42 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by cybernet2u View Post
i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked for over a week )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported
if necessary and i will be more protected I will move on CentOS 5.4 or so
Could you provide a detailed description of the attack you're experiencing?
 
Old 11-20-2009, 01:59 PM   #3
cybernet2u
LQ Newbie
 
Registered: Aug 2009
Distribution: centos
Posts: 16

Original Poster
Rep: Reputation: 0
Angry hmmm....

all i know is when i try to access my site i get a 503 Error ( service unavailable ) or the message ( too many conections )

this is what i have on running process on webmin

sorry for the long process list but i wanna know how serious is this

Code:
 6477 	root 	21:55 	/usr/sbin/apache2 -k start
      6478 	root 	21:55 	vlogger (access log)
      6480 	root 	21:55 	vlogger (access log)
      6483 	www-data 	21:55 	/usr/sbin/apache2 -k start
         7068 	www-data 	21:56 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client2/web4 -d upload_tmp_dir ...
         7114 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7115 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7116 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7117 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7118 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7119 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7121 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7124 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7129 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7130 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7132 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7134 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7135 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7138 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7147 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7169 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7232 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7264 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7266 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7268 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7270 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7272 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
         7274 	www-data 	21:58 	/usr/bin/php-cgi -d open_basedir=/var/www/clients/client1/web1 -d upload_tmp_dir ...
      6557 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6558 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6559 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6560 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6561 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6564 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6591 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6592 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6597 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6598 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6599 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6600 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6601 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6603 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6604 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6606 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6607 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6639 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6699 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6700 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6712 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6713 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6714 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6715 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6732 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6734 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6735 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6736 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6737 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6738 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6861 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6862 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6868 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6869 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6870 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6871 	www-data 	21:55 	/usr/sbin/apache2 -k start
      6919 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6920 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6929 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6930 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6931 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6947 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6948 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6949 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6950 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6951 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6952 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6953 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6954 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6964 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6975 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6976 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6981 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6982 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6983 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6984 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6986 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6991 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6992 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6994 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6995 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6996 	www-data 	21:56 	/usr/sbin/apache2 -k start
      6997 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7000 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7001 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7002 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7004 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7006 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7019 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7052 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7060 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7061 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7062 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7063 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7064 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7065 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7066 	www-data 	21:56 	/usr/sbin/apache2 -k start
      7093 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7094 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7095 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7096 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7097 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7098 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7099 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7100 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7101 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7102 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7103 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7104 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7105 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7106 	www-data 	21:57 	/usr/sbin/apache2 -k start
      7120 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7122 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7123 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7125 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7126 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7127 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7128 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7131 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7146 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7153 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7154 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7174 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7175 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7176 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7177 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7256 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7258 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7260 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7261 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7262 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7263 	www-data 	21:58 	/usr/sbin/apache2 -k start
      7273 	www-data 	21:58 	/usr/sbin/apache2 -k start
 
Old 11-20-2009, 07:39 PM   #4
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.
 
Old 11-21-2009, 12:09 AM   #5
cybernet2u
LQ Newbie
 
Registered: Aug 2009
Distribution: centos
Posts: 16

Original Poster
Rep: Reputation: 0
Unhappy

Quote:
Originally Posted by Web31337 View Post
oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.
yesterday log
http://fbx.ro/xl5mrsqspbme6908
* apache2 wasn't opened all day long 'cause my load was to high

please help

Last edited by cybernet2u; 11-21-2009 at 12:10 AM. Reason: forgot the download link :( ...
 
Old 11-21-2009, 01:47 AM   #6
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
but that's torrent tracker. or looks like it. never seen before.
what on earth did you mean by naming topic "ddos"?
it has nothing to do with ddos. even if someone here inserts spam queries i cannot see it.
maybe you are talking about that you have your site there and someone changed DNS of some popular torrent tracker and now it points on you? but then HTTP status is 200. so you are running torrent tracker? i can only guess, you didn't tell us anything. how can we analyze those logs?
anyway if you do run torrent tracker you need WIDE network link and tweaked server.

--
update: oh yes, i found referer from host-tracker which then points to xlist.ro which is known by google cache as torrent tracker.

i see no ddos. i see slow channel and server overload.
 
Old 11-21-2009, 02:36 PM   #7
cybernet2u
LQ Newbie
 
Registered: Aug 2009
Distribution: centos
Posts: 16

Original Poster
Rep: Reputation: 0
Question ...

so let me guess you're saying that my tracker got himself about 300 users over night ?
 
Old 11-21-2009, 09:30 PM   #8
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
yeah. is 300 users so big value?
i didn't get into log, at the first sight i see no "spam" requests or they are good masked as regular ones. sorry, i see no problems. the problem is either server is not well-tweaked or network channel overloaded.
even if it is not it's quite hard/impossible to extract from this log which queries are normal and which are not. maybe it just needs deeper look but 300 users as you counted doesn't seem a big value for me, it sounds pretty weird that your webserver can't manage that load.
if you specify the exact time where to look, i can review it again. 35M is quite a massive thingy i don't really want to get into without any pointers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help Me stop Botnet ddos attacks Drutten Linux - Security 6 08-18-2008 11:56 AM
DDOS attacks Challengers alamlinux Linux - Security 2 03-23-2008 01:12 PM
Concerning DDoS attacks joji_in_changwon Linux - Security 13 11-27-2007 11:12 AM
ddos or hacked? Please help!! lucastic Linux - Security 8 12-16-2004 07:56 PM
Ddos Mag|c Linux - Security 2 08-16-2003 09:41 PM


All times are GMT -5. The time now is 12:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration