Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked for over a week )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported
if necessary and i will be more protected I will move on CentOS 5.4 or so
i have a Ubuntu 8.04.3 Desktop
how can i protect my website against DDoS attacks
i'm being attacked on apache2 and soon i think mysql will be in danger
( i'm currently in this second attacked for over a week )
psad is NOT doing his job ( maybe i didn't configure it well )
and bastille-linux is not supported
if necessary and i will be more protected I will move on CentOS 5.4 or so
Could you provide a detailed description of the attack you're experiencing?
oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.
oh ghod... how does your server manage this all? there's too many processes, don't you think? and apache2+fcgi... better to use nginx in that case. With nginx you can also proxy the requests on other servers so avoid overloading of your server so easily. just a suggestion from my own experience.
anyways about your current situation...
best choice is to review access logs, find out if attacks are made from single IP/subnet/subnets and try to filter them out with iptables/other packet filter you like. If that doesn't help, look for a script they attacking. If they don't attack actual script, they probably try to overload webserver with some specific query. Could you please pastebin your access logs somewhere and give us a link here?
ddos are usually made by skiddies because all mature guys know it will not resolve the problem. so the methods those skiddies use are usually easy to find and cut off.
provide as much info as possible, maybe we can help you with protecting against attacks.
but that's torrent tracker. or looks like it. never seen before.
what on earth did you mean by naming topic "ddos"?
it has nothing to do with ddos. even if someone here inserts spam queries i cannot see it.
maybe you are talking about that you have your site there and someone changed DNS of some popular torrent tracker and now it points on you? but then HTTP status is 200. so you are running torrent tracker? i can only guess, you didn't tell us anything. how can we analyze those logs?
anyway if you do run torrent tracker you need WIDE network link and tweaked server.
--
update: oh yes, i found referer from host-tracker which then points to xlist.ro which is known by google cache as torrent tracker.
i see no ddos. i see slow channel and server overload.
yeah. is 300 users so big value?
i didn't get into log, at the first sight i see no "spam" requests or they are good masked as regular ones. sorry, i see no problems. the problem is either server is not well-tweaked or network channel overloaded.
even if it is not it's quite hard/impossible to extract from this log which queries are normal and which are not. maybe it just needs deeper look but 300 users as you counted doesn't seem a big value for me, it sounds pretty weird that your webserver can't manage that load.
if you specify the exact time where to look, i can review it again. 35M is quite a massive thingy i don't really want to get into without any pointers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.