Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Need Help - DDoS attack

Need Help - DDoS attack

SteveSteve Member
edited July 2012 in General

I manage the web server for a popular website, and for the past few hours, it's been under a DDoS attack. No one can access the site.

I checked Apache's log and seen this:

49.132.228.84 - - [28/Jul/2012:05:35:10 +0200] "POST / HTTP/1.0" 301 605 "6iiby75pl52.net" "Mozilla/4.0 (compatible; ibisBrowser)" 189.154.50.212 - - [28/Jul/2012:05:35:06 +0200] "POST / HTTP/1.0" 301 568 "51mso8n5956.ru" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801" 112.197.191.15 - - [28/Jul/2012:05:35:15 +0200] "POST / HTTP/1.0" 301 605 "9ak99or.biz" "Mozilla/4.5 [en]C-CCK-MCD {RuralNet} (Win98; I)" 121.115.89.29 - - [28/Jul/2012:05:36:07 +0200] "POST / HTTP/1.0" 301 605 "0h37660oa6d8j.info" "Mozilla/3.0 (compatible; NetPositive/2.2)" 112.197.191.15 - - [28/Jul/2012:05:35:23 +0200] "POST / HTTP/1.0" 301 605 "8gf42cq.biz" "Mozilla/5.0 (compatible; ShunixBot/1.x; http://www.ym404mwxc8.com/bot.htm)" 14.48.37.99 - - [28/Jul/2012:05:36:08 +0200] "POST / HTTP/1.0" 301 605 "2yeuk54c2.com" "Mozilla/5.0 (compatible; Bot; +http://yc5pn9i83c29c.ws/spamfilter" 222.15.162.47 - - [28/Jul/2012:05:35:05 +0200] "POST / HTTP/1.0" 301 605 "zy77145851l.biz" "Mozilla/5.0 (compatible; BecomeJPBot/2.3; MSIE 6.0 compatible; +http://www.iux9ze6.jp/wh2q80.html)"

I've tried blocking the I.P addresses, but that's no use. I've blocked over 300 addresses manually and the attacks just keep coming. Any ideas on how to prevent this type of attack?

Comments

  • I'm guessing it's more than just a web server attack.

    This signature is brought to you by the NSA. Spying on the entire world since 1952!

  • CSF

    Thanked by 1Steve
  • DDoS-Deflate is supposed to work

    Thanked by 2TheHackBox Steve
  • SteveSteve Member

    Thanks guys, but none of those seem to work for this type of attack.

    Any other ideas?

  • ZenZen Member

    HTTP post/get attack. Fix your Apache configuration. Do they pay you?

    Transparency: I work for Nodisto and all subsequent businesses: Backupsy, VPSDime, Winity, Cloudive, and DotVPS. My opinions represented through posts on this forum are mine and not the opinions of these businesses unless explicitly stated otherwise.
  • TazTaz Disabled

    If it is Apache based, block port 80, contact litespeed and something that have worked for me most of the time was nginx reverse proxy from a different server. If it is a syn flood, you will need professional ddi

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • ZenZen Member
    edited July 2012

    Or just correctly configure Apache... I'm sure it isn't a syn flood since the guy posted web server logs.

    Transparency: I work for Nodisto and all subsequent businesses: Backupsy, VPSDime, Winity, Cloudive, and DotVPS. My opinions represented through posts on this forum are mine and not the opinions of these businesses unless explicitly stated otherwise.
  • SteveSteve Member

    @Zen said: HTTP post/get attack. Fix your Apache configuration. Do they pay you?

    Nope. It's a website for an open-source program. What exactly do I need to change in my Apache configuration?

  • TazTaz Disabled

    @Zen my bad, didn't look at those log. @Steve, if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • ZenZen Member

    Set the correct limits, read time, time out, workers, Mod_QoS, choose best MPM (event, dedicated thread for sockets), iptables for rate limiting, CSF/dosdeflate for connection limits, mod security.

    Basically if you've set up Apache for production use and haven't read about any of this then you've got it open to everything.

    Transparency: I work for Nodisto and all subsequent businesses: Backupsy, VPSDime, Winity, Cloudive, and DotVPS. My opinions represented through posts on this forum are mine and not the opinions of these businesses unless explicitly stated otherwise.
  • AsadHaiderAsadHaider Member
    edited July 2012
  • @NinjaHawk said: if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.

    Or lighttpd.

  • JTRJTR Member

    Mod_evasive works wonders for some types of Apache attacks, and Varnish usually helps with most other types.

Sign In or Register to comment.