New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Help] Detect IP and block DDOS
thuvienvps
Member
in Help
Hi,
My site is under ddos attack, as far as i know it's small ddos attack with arround 50-100 IP (botnet)
I try to block IP with csf but it's hard to block IP one by one manually.
Is there any script that auto find out IP with many connections then add it to csf.deny list?
Many thanks for your help!
This discussion has been closed.
Comments
What type of traffic are you getting?
I'm new to Linux so i dont know how to find out type of ddos attack, please let me how to find out
P/S: I'm running Nginx, PHP-FPM, MySQL.
To find out the IPs (number of connections followed by the IP):
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 100
To block the IP using iptables (replace 0.0.0.0 with the actual IP):
iptables -A INPUT -s 0.0.0.0 -j DROP
Or add the IP to csf.deny:
echo 0.0.0.0 >> /path/to/csf.deny
orcsf -d 0.0.0.0
(credits to @ATHK)You should be able to block the IPs automatically using a for/do loop + cron jobs.
It sounds like you can still access your server through SSH, do you get any packet loss? Is your site just down?
Here is image when i run netstat command to see connection.
csf -D IP comment
Easier..
yes, i'm able to access via SSH. My webserver give 502 Bad gateway nginx
First command show:
First WHOIS them (so you don't block legitimate IPs), then block accordingly.
There are so many IP, it's imposible to whois each IP.
Then just block them all if you don't want to check lol.
Your reply is useless to this case. Thanks!
Wow, how rude. Fuck off mate, he's given you quite a bit of help, and you reply with this?
Wow.
I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.
If you don't want my help, sure, and let the DDoS keep going; otherwise, block all IPs here http://i.imgur.com/wsHxFFb.png
Have you paid him anything? Have you paid us anything? Go hire a sysadmin and appreciate other people's time and effort.
Check your logs and see how they're accessing your server, then install fail2ban with a custom jail and filter which looks at the log where the access logs are being output too.
Then in (I think) the action set it to add the IP to csf.deny using either the echo command above or csf -D IP
You can follow something like this Apache Post flood rule - http://klcollins.org/2013/09/fail2ban-love/
With custom regex in the filter you can pretty much target anything in the log files.
It looks promise, great thanks for your help!!
Well it actually works and does a damn good job, we had that post flood on one of our servers at work, that was when it was a small attack.. it grew and it grew huge I'm taking 30-40 + IPs a second.. we ended up moving the problem site onto something with DDOS protection.
install conntrack tools:
And run with
Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...
Post it to pastebin /pastie & post link here* please
It seems you installed CSF and haven't configured it yet. Change CONNLIMIT, PORTFLOOD and some other settings in csf.conf may help
Here is access log: http://pastebin.com/yrmVQiSA
P/S: i'm running vbulletin site, not wordpress
http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
You pissed someone off in Vietnam.
@Mun ... you rock
just to make sure I got it right... this does need to be added to the vhost, doesn't it?
So that can be under either http {} server{} or location {}
You could use something like https://github.com/Prajithp/nginx-anti-ddos ?
@Monster looks nice...
@Mun ... Is there a chance that the dotdeb would add this to the extras