Under a ddos attack? How to proceed?

Portal Home > Knowledgebase > Articles Database > Under a ddos attack? How to proceed?

Posted by Fernando Marcelo, 11-06-2009, 06:35 AM
Hi, I have a dedicated server running Debian and i am having some problems with Apache using a lot of CPU causing the load to go about 100.00. My load is usually 0.50 so this is not a bad coded script that is causing the problem. I run netstat and got the following results ( my server IP has been replaced ): The problem is probably those close_wait connections. I already have APF installed on my server ( althought it doesn't work well with Debian ) and only port 80 is open. Any ideas of how can i stop those attacks? Besides manually blocking the ip, which is not the best way to handle this problem. Thanks a lot for anyone who tries to help!
Posted by bjdea1, 11-06-2009, 06:55 AM
I recommend you find out which website is causing it (if possible) and then just dump the IP and switch your entire server over to another IP. It sounds like a lot of work and hassle but if you really are suffering a severe ddos attack on a single IP, and you want it over quickly then this is the fastest solution. All you do is ask your Datacenter to null route the IP (kill it) and then get on your server and using WHM (assuming you have WHM/cPanel) move all accounts on the server that are on the bad IP over to another IP. If its your main IP you will need to update your network "ifconfig" settings to put your server on the new main IP and for cPanel licensing to work on the new IP. I had a major ddos attack a number of years ago and rather than try to fight it or mitigate it we just "bit the bullet" and changed the servers primary (main) IP as I described above. It turned out to be a very effective and fast way of getting around the attack, it never came back again and was all over in about 4 hours. But this may not be ideal for you, this is just an experience I had. Also I am not confirming your server is experiencing a ddos attack, I'm just saying "IF" your are under a serious and sustained ddos attack like I was a few years ago then this was a good solution for us.
Posted by Fernando Marcelo, 11-06-2009, 07:25 AM
bjdea1, Thanks for your reply. But i would like to fix this problem instead of changing to another IP ( if someone is attacking my website, he would probably find out the new IP because of DNS ).
Posted by LENOVOhost, 11-06-2009, 07:50 AM
HI Fernando Marcelo I would help you if you are still facing the attack or you can install the install ddos deflate And try to find which site is under attack & install the firewall these are basic steps The more your DC can help you ask them to get what is the size of the attack ask them to null it from there part If you have hardware firewall you can easly block the attack
Posted by Fernando Marcelo, 11-06-2009, 07:52 AM
Hello, I also have DDos deflate installed but it doesn't seem to work in this situation. And sometimes it also blocks ips from my clients.
Posted by LENOVOhost, 11-06-2009, 08:02 AM
Hi Your server as harwdware or software firewall what is your DC ? Make the following alteration
Posted by Fernando Marcelo, 11-06-2009, 08:21 AM
Hi, I am using Hivelocity. I don't have a hardware firewall, just a software one. I will try to apply your changes, thanks.
Posted by GregLand, 11-29-2009, 09:39 PM
I would hire a management company that could help you and would monitor 24.7 for you
Posted by Steven, 11-29-2009, 09:45 PM
The best thing you could do is go with a server provider that offers ddos protection at the network level: staminus, awknet, etc. You could also setup nginx to proxy over to apache. Nginx is more resilient to ddos then apache.
Posted by PeakVPN-KH, 11-30-2009, 03:45 AM
I would definitely recommend doing some tweaking on Apache and possibly buy DDoS protection or get a dedicated in a datacenter which offers it. The issue is that there are several datacenters that provide DDoS protection at the network layer. Although, most won't help you with this being a SYN flood. You'd normally need an add-on service. Some appliances will pick up SYN floods fairly well but it also highly depends on how it's configured. Good luck
Posted by JohnCS, 11-30-2009, 08:50 AM
I think its a SYN attack, try with all these IPtables rule, iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP then, /etc/init.d/iptables save /etc/init.d/iptables restart that should do it. Last edited by JohnCS; 11-30-2009 at 08:57 AM.
Posted by ksv2nash, 11-30-2009, 09:17 AM
Hello, A quick and useful command for checking if a server is under ddos:========================= netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 This will tell you how many httpd connections there are to the server. This command may also be useful: lsof -i :80 If this did not help then please try running following, /usr/local/fatmon/undos Keep running this for 5 to 10 min.
Posted by @Matt, 11-30-2009, 10:13 AM
I've been doing some research and you may want to contact this company if your still having issues. http://www.blacklotus.net/
Posted by toro, 12-03-2009, 12:01 PM
Local server modifications can really do a great deal to help your server become more resilient against DDoS attacks. However, after a particular point, it's simply too difficult to fight DDoS attacks without programming extensive software to analyze and block the traffic. Even when you do block the traffic, please realize that you are blocking locally at your server so you're still liable for the traffic usage, which could easily topple your port capacity. Your certain attack does not seem to be too problematic since you can monitor it at your server. It is simply taking down your http services. You should be fine with entry level DDoS protection from any host. Good luck in the search!

Add to Favourites Print this Article