LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is My Server Under DdOS attack. please help. :( (https://www.linuxquestions.org/questions/linux-security-4/is-my-server-under-ddos-attack-please-help-824423/)

roshanekka 08-05-2010 01:31 PM
Is My Server Under DdOS attack. please help. :(
 
I am a newbie on linux and its management, im learning. I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow.

i executed the following command on my ssh:
Code:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail
and as i result i got following output:
Code:
root@server [~]# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail
      5 117.98.12.104
      5 124.153.102.163
      5 85.185.37.196
      6 110.225.237.32
      8 112.110.124.100
      8 182.156.5.157
      8 182.16.156.122
      9
      9 180.214.152.207
    28 0.0.0.0
root@server [~]#
please tell me if these IPs are doing any kind of attacks..

also tell me what steps should i take to stop Ddos on my server.

SciFi-Bob 08-05-2010 05:15 PM
I would advice you to run a firewall on the server. And if you already have one running, then the logs from the firewall is what you should be examening.
Netstat does not give useful info on attacks, it's just info on active and closing/terminating connections, it does not have any kind of history.

What you are interested in, for example, is how many connection attempts has there been on port x the last minute/hour/day.
Only a firewall can give you that.

Well, a packet sniffer also could do the job, but it's really the job of a decent firewall.

Another thing you can try, is to see what process is slowing the machine down. It could be that some service is draining the cpu, and then it might be as easy as restarting or stopping that service.

Running "top" in a terminal may give a hint of what is using the cpu.

salasi 08-06-2010 03:23 AM
Quote:
Originally Posted by roshanekka (Post 4057107)
I am a newbie on linux and its management, im learning. I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow.
There could be a thousand reasons that your server runs slowly; a DDos is only one of these.

When you say it is a server, do you mean that it is a webserver (eg, Apache or something similar, plus whatever else needed to serve nicely formatted webpages, like a CMS?)?

Quote:
i executed the following command on my ssh:
Code:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail
If it was a DDos, you'd expect to see lots of connections...as you've only presented 10, you can't tell from this. Additionally, if it was a webserver, your objective is for people from the outside world to make connections; if it is your fileserver, things are rather different.

Quote:
please tell me if these IPs are doing any kind of attacks..
How? we could probably tell you where those particular IPs are based, which may raise suspicions (or not), but that is as likely to be deceptive as not.

We really need some good information from you:
  • What is this server supposed to do?
  • What evidence is there that the server runs more slowly than is reasonable for a server with this planned workload?
  • Are there many of these connections? should there be?
  • Can you outline the system specs (processor and memory, primarily) and what software it is running.
  • When you say it is slow, what are your criteria (load average, request served stats, general feeling)?
  • what does top show?
  • Does vmstat (not the fiorst line) show excessive disk activity?

roshanekka 08-06-2010 06:27 AM
Quote:
We really need some good information from you:

* What is this server supposed to do?
* What evidence is there that the server runs more slowly than is reasonable for a server with this planned workload?
* Are there many of these connections? should there be?
* Can you outline the system specs (processor and memory, primarily) and what software it is running.
* When you say it is slow, what are your criteria (load average, request served stats, general feeling)?
* what does top show?
* Does vmstat (not the fiorst line) show excessive disk activity?
This is a server having apache 2.2.

1. Server is hosting few websites.

2. I dont say server running slow, actually the sites are opening damn slow. also i dont see any process on my TOP but still my site is down. my cpu load is less than 0.30, but still site opens slow. and when ever i reboot my webserver (httpd) frm whm then the site opens fine for about 5 mins then again starts to load slow.

3. i suppose there are many connections, is there any command by which i can find how many connections are there.

4. My cpu specs are:
Quote:
Core2Quad 9300 server
1TB SATA HDD
8GB DDR2 RAM
Hosting few sites and FFMPEG is installed
5. My server is not slow as i said , load is also normal but my site opens damn slow.
It cant be network latency in our region because if i reboot the httpd the sites starts to load fine.
eg site: bindas.tk

6. Here is a preview of top:

Quote:
top - 16:56:23 up 21 days, 1:22, 2 users, load average: 0.04, 0.37, 0.69
Tasks: 207 total, 1 running, 205 sleeping, 0 stopped, 1 zombie
Cpu(s): 0.4%us, 0.2%sy, 0.0%ni, 98.4%id, 0.8%wa, 0.0%hi, 0.2%si, 0.0%st
Mem: 3069876k total, 2841276k used, 228600k free, 74064k buffers
Swap: 5124692k total, 120k used, 5124572k free, 2328828k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1053 samm1986 15 0 105m 19m 7016 S 0.3 0.7 0:00.05 php
1 root 15 0 2072 628 540 S 0.0 0.0 0:03.81 init
2 root RT -5 0 0 0 S 0.0 0.0 0:00.66 migration/0
3 root 34 19 0 0 0 S 0.0 0.0 0:00.23 ksoftirqd/0
4 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
5 root RT -5 0 0 0 S 0.0 0.0 0:02.95 migration/1
6 root 39 19 0 0 0 S 0.0 0.0 0:00.24 ksoftirqd/1
7 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/1
8 root RT -5 0 0 0 S 0.0 0.0 0:00.88 migration/2
9 root 34 19 0 0 0 S 0.0 0.0 0:00.15 ksoftirqd/2
10 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/2
11 root RT -5 0 0 0 S 0.0 0.0 0:03.60 migration/3
12 root 34 19 0 0 0 S 0.0 0.0 0:00.25 ksoftirqd/3
13 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/3
14 root 10 -5 0 0 0 S 0.0 0.0 0:00.04 events/0
15 root 10 -5 0 0 0 S 0.0 0.0 0:00.05 events/1
16 root 10 -5 0 0 0 S 0.0 0.0 0:00.04 events/2
7. vmstat preview:

Quote:
root@server [~]# vmstat
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 120 225920 74412 2336076 0 0 45 44 2 3 2 3 93 2 0
root@server [~]#
please note that server is not slow but site opens slow.

unixfool 08-06-2010 07:42 AM
Quote:
2. I dont say server running slow, actually the sites are opening damn slow. also i dont see any process on my TOP but still my site is down. my cpu load is less than 0.30, but still site opens slow. and when ever i reboot my webserver (httpd) frm whm then the site opens fine for about 5 mins then again starts to load slow.
Hrmm...

DDoS activity usually results in the system tanking due to it having issues attempting to track thousands+ of alerts. Let's say a system that was being DDoSed was restarted. When a system restarts, everything is reinitialized, including connection tracking. So, of course, a check of resources immediately after a reboot won't be the same as a check of resources after 10 or so minutes of DDoS activity. Your explanation doesn't mean a thing, IMO. The only thing that backs you up at this point is the fact that top isn't showing any resource spikes, which also means nothing.

Quote:
please note that server is not slow but site opens slow.
Then this isn't a DDoS issue. If this were a DDoS, your netstat output would certainly be different (I'm not saying that netstat provides proof-positive results, either), as it would be showing a LOT more than what you provided. Also, most DoS-type attacks happen because system resources (CPU and/or memory) are eventually drained. What usually happens with DDoS is the system grinds to a halt and eventually tanks. The system...the server. Not an application.

This tells me that you're possibly experiencing an application issue, but you did know that one IP/host can DoS a computer, right? A host can send a specially crafted packet to another system which would make that remote system gag on the packet, which may hose the whole system or hog enough resources to where that remote system can't do anything else. That's pretty much a denial of service. Again, your issue might not be DDoS-related...it may certainly be DoS-related, though. So, we're back to square one. What you think is a DDoS is almost certainly not, but you might be experiencing some type of DoS, or you've an issue with one of your apps (misconfiguration that the system is choking on or that someone is attempting to take advantage of)


Now, check this link and use it to determine the state of integrity of your host. This is the US CERT's Intrusion Detection Checklist. There's also a massive LQ Security Resources thread here. Use this (maybe after you've fixed your current issue) to establish an integrity baseline for your machine(s).

You need to find out the who, what, when, where, why, and how, if you think your box is being defiled or impeded. Start with your system logs, your application logs (definitely check Apache). You can run a sniffer on a temporary basis just so you can better see what's going on...I believe a sniffer will be a better resource than any FW log. A FW log will point you in a direction. A sniffer log, depending on how you've configured it, will tell you everything a FW log will, in addition to Layer-7 information (which a FW won't be able to do unless it has true IPS functionality).

Lastly, quit restarting your host. Restarting plays havoc with the system's audit trail. If you're restarting, you're wiping away traces of evidence that may not have yet made it to a logfile.

roshanekka 08-06-2010 01:53 PM
i was wondering if my apache configuration is causing this kind of problem....

can this be the issue... that my apache + php compile is causing this....

SciFi-Bob 08-10-2010 12:37 PM
A quick way to detect if it really is a network problem, is to unplug the network cable, and access one of your sites from the server itself (with wget).
If it responds at once, it is an indication that some network problem exists, but still it's no guarantee that it is an attack. It may be several other things going on on your LAN, a runaway workstation, etc.

Code:
wget -O- http://yoursite
will dump the request to standard output.


All times are GMT -5. The time now is 07:30 PM.