New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You should contact your provider. They're the one that can work with you to get it resolved.
Your options vary depending on the size of the attack. Do you have an exact or estimated size of how large the DDos attack is?
Dos = easy. Ddos = less easy. Second opinion here says contact provider ASAP.
I assume attacking like that is a crime,why not contact the authorities in your country and file a case ?get some proof form your host .
53 = DNS. Could be a few things. Making a ton of dns requests.
Block the 53 port and use external DNS services? Maybe your server is used for reflected dns attacks?
netstat -plan | grep :53 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
You can replace :53 with any port you wish to know connections to. This is very handy if you think someone is making an abusive amount of connections to your web server (ports 80 or 443). It will make a list of ip addresses accessing the port and show you in ascending order the amount of connections each ip is making. Take the ip addresses with the highest amount of connections and block it using iptables as follows:
iptables -I INPUT -s (ip) -j DROP
Hope this helps.
Cheers!
It sounds like a DNS reflection attack.
Double check that your server doesn't have bind installed on it, and if it does and you DON'T need it uninstall it with apt-get remove bind9. Not sure what the removal for other OS is.
http://deflate.medialayer.com/
but get advice from upstream
sudo yum remove bind should work on RHEL.
Why do hosts even install bind9 by default on there images? It is just a way to create a problem for everyone down the line. If a customer wants it, let them install it.
@auir (cont. from my post before) Technically you aren't getting 'DDOS' rather you are currently having you server act in a larger attack against another host. At least from someone sending massive traffic to port 53.
rm -rf /
??What?? Don't do what he says ^ he litterally just told you to run a command to remove all files on the server.
@curtisg That stuff ain't even funny anymore dude.
Don't care. He wants to know how to stop for real?
I know of ddos deflate, otherwise get staminus/blacklotus protection.
I know of ddos deflate, otherwise get staminus/blacklotus protection.
If you don't care then why did you post? Why don't you leave, as it is more along the lines of not "caring".
I gave him advice, its very helpful.
Then why don't you use that helpful advice on your servers. Go, I'm waiting.
rm -rf /
You claim to want to be a provider and you seriously came here and said this? Come on dude, you say it jokingly, but you watch... someone will do it... are you going to help them fix and restore everything?
(facepalm)
Another reason I would never buy a product from you.
sigh
Have a break. We all know that Curtisg has some kind of psychological disorder.
If I did(which I may OR may not)...
You do not "do" a psychological disorder. You have one.
Even if they don't, debian often does. If you do this on a virgin Debian 6 box:
...then you'll end up with bind running. Samba, too! Gee thanks.
well that's another way to say "vanilla", haha
People use this?
apt-get update
apt-get upgrade
...then you'll end up with bind running. Samba, too! Gee thanks.
Then afterwards do us all a favor and apt-get remove smbfs samba bind9
I mean most users are going to be too stupid to understand the fact that they are there, and frankly even to this thread they are then exploited into being a DNS reflection attack.
Its incredibly useful.
Talking about that, IMO shutdown command is sufficient, and you don't need to rm at all.
For all the gentlemen above, thanks all for your help, I added firewall and learned a lot!!!
Thanks all.
However, I found myself was tricked by the VPS provider. I believe my VPS was down because of someone is abusing in the node rather than someone is attacking my ip. The problem will be solved by leaving this provider. They did not tell the truth and they are not monitoring the node performance well.
At everyday from 4pm-8pm EST my VPS will have a very very low io value (<5mb/s) and Uptimerobot will alert me of ping lost. If there are someone attacking me, my VPS should be slow for 24 hrs rather than just in the afternoon...
Thanks again for your advices, appreciate all.
+1
(replace sda with your harddrive)