Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need Help - DDoS attack
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need Help - DDoS attack

SteveSteve Member
edited July 2012 in General

I manage the web server for a popular website, and for the past few hours, it's been under a DDoS attack. No one can access the site.

I checked Apache's log and seen this:

49.132.228.84 - - [28/Jul/2012:05:35:10 +0200] "POST / HTTP/1.0" 301 605 "6iiby75pl52.net" "Mozilla/4.0 (compatible; ibisBrowser)"
189.154.50.212 - - [28/Jul/2012:05:35:06 +0200] "POST / HTTP/1.0" 301 568 "51mso8n5956.ru" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801"
112.197.191.15 - - [28/Jul/2012:05:35:15 +0200] "POST / HTTP/1.0" 301 605 "9ak99or.biz" "Mozilla/4.5 [en]C-CCK-MCD {RuralNet} (Win98; I)"
121.115.89.29 - - [28/Jul/2012:05:36:07 +0200] "POST / HTTP/1.0" 301 605 "0h37660oa6d8j.info" "Mozilla/3.0 (compatible; NetPositive/2.2)"
112.197.191.15 - - [28/Jul/2012:05:35:23 +0200] "POST / HTTP/1.0" 301 605 "8gf42cq.biz" "Mozilla/5.0 (compatible; ShunixBot/1.x; http://www.ym404mwxc8.com/bot.htm)"
14.48.37.99 - - [28/Jul/2012:05:36:08 +0200] "POST / HTTP/1.0" 301 605 "2yeuk54c2.com" "Mozilla/5.0 (compatible; Bot; +http://yc5pn9i83c29c.ws/spamfilter"
222.15.162.47 - - [28/Jul/2012:05:35:05 +0200] "POST / HTTP/1.0" 301 605 "zy77145851l.biz" "Mozilla/5.0 (compatible; BecomeJPBot/2.3; MSIE 6.0 compatible; +http://www.iux9ze6.jp/wh2q80.html)"

I've tried blocking the I.P addresses, but that's no use. I've blocked over 300 addresses manually and the attacks just keep coming. Any ideas on how to prevent this type of attack?

Comments

  • I'm guessing it's more than just a web server attack.

  • CSF

    Thanked by 1Steve
  • dearroydearroy Member, Host Rep

    DDoS-Deflate is supposed to work

    Thanked by 2TheHackBox Steve
  • SteveSteve Member

    Thanks guys, but none of those seem to work for this type of attack.

    Any other ideas?

  • TazTaz Member

    If it is Apache based, block port 80, contact litespeed and something that have worked for me most of the time was nginx reverse proxy from a different server. If it is a syn flood, you will need professional ddi

  • SteveSteve Member

    @Zen said: HTTP post/get attack. Fix your Apache configuration. Do they pay you?

    Nope. It's a website for an open-source program.
    What exactly do I need to change in my Apache configuration?

  • TazTaz Member

    @Zen my bad, didn't look at those log.
    @Steve, if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.

  • AsadAsad Member
    edited July 2012

    Nginx reverse proxy? I have no idea what I just wrote

  • @NinjaHawk said: if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.

    Or lighttpd.

  • JTRJTR Member

    Mod_evasive works wonders for some types of Apache attacks, and Varnish usually helps with most other types.

Sign In or Register to comment.