Need Help - DDoS attack

Steve

I manage the web server for a popular website, and for the past few hours, it's been under a DDoS attack. No one can access the site.

I checked Apache's log and seen this:

49.132.228.84 - - [28/Jul/2012:05:35:10 +0200] "POST / HTTP/1.0" 301 605 "6iiby75pl52.net" "Mozilla/4.0 (compatible; ibisBrowser)" 189.154.50.212 - - [28/Jul/2012:05:35:06 +0200] "POST / HTTP/1.0" 301 568 "51mso8n5956.ru" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801" 112.197.191.15 - - [28/Jul/2012:05:35:15 +0200] "POST / HTTP/1.0" 301 605 "9ak99or.biz" "Mozilla/4.5 [en]C-CCK-MCD {RuralNet} (Win98; I)" 121.115.89.29 - - [28/Jul/2012:05:36:07 +0200] "POST / HTTP/1.0" 301 605 "0h37660oa6d8j.info" "Mozilla/3.0 (compatible; NetPositive/2.2)" 112.197.191.15 - - [28/Jul/2012:05:35:23 +0200] "POST / HTTP/1.0" 301 605 "8gf42cq.biz" "Mozilla/5.0 (compatible; ShunixBot/1.x; http://www.ym404mwxc8.com/bot.htm)" 14.48.37.99 - - [28/Jul/2012:05:36:08 +0200] "POST / HTTP/1.0" 301 605 "2yeuk54c2.com" "Mozilla/5.0 (compatible; Bot; +http://yc5pn9i83c29c.ws/spamfilter" 222.15.162.47 - - [28/Jul/2012:05:35:05 +0200] "POST / HTTP/1.0" 301 605 "zy77145851l.biz" "Mozilla/5.0 (compatible; BecomeJPBot/2.3; MSIE 6.0 compatible; +http://www.iux9ze6.jp/wh2q80.html)"

I've tried blocking the I.P addresses, but that's no use. I've blocked over 300 addresses manually and the attacks just keep coming. Any ideas on how to prevent this type of attack?

TheHackBox

I'm guessing it's more than just a web server attack.

Spencer

CSF

dearroy

DDoS-Deflate is supposed to work

Steve

Thanks guys, but none of those seem to work for this type of attack.

Any other ideas?

Zen

HTTP post/get attack. Fix your Apache configuration. Do they pay you?

Taz

If it is Apache based, block port 80, contact litespeed and something that have worked for me most of the time was nginx reverse proxy from a different server. If it is a syn flood, you will need professional ddi

Zen

Or just correctly configure Apache... I'm sure it isn't a syn flood since the guy posted web server logs.

Steve

@Zen said: HTTP post/get attack. Fix your Apache configuration. Do they pay you?

Nope. It's a website for an open-source program. What exactly do I need to change in my Apache configuration?

Taz

@Zen my bad, didn't look at those log. @Steve, if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.

Zen

Set the correct limits, read time, time out, workers, Mod_QoS, choose best MPM (event, dedicated thread for sockets), iptables for rate limiting, CSF/dosdeflate for connection limits, mod security.

Basically if you've set up Apache for production use and haven't read about any of this then you've got it open to everything.

AsadHaider

Nginx reverse proxy? I have no idea what I just wrote

Soylent

@NinjaHawk said: if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.

Or lighttpd.

JTR

Mod_evasive works wonders for some types of Apache attacks, and Varnish usually helps with most other types.