Portal Home > Knowledgebase > Articles Database > ddos attack??
Posted by qrees, 07-04-2006, 07:21 AM Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
Posted by andyreed, 07-05-2006, 01:04 AM Do you have any system-based firewall installed on your server such as: APF and BFD? If yes, and you're 100% sure that you're under serious Dos/DDoS attack, then none of these system-based firewalls will help. You must have a hardware-based firewall.
Posted by qrees, 07-05-2006, 04:36 AM This server is hosted with layeredech. Do you know if they can help with this? I'm quite sure this is some kind of attack. And we have APF installed.
Posted by Biju, 07-05-2006, 06:16 AM I agree with you, you need a hardware based firewall.
Posted by jon-f, 07-05-2006, 06:22 AM use ddos deflate along with apf. Apf is good to ban syn floods and has a packet threshold, dos deflate will ban connection floods. MediaLayer Projects For real ddos attacks, which means 100s up to 1000s of different ips hitting you at once you would need a firewall but single ip connection floods a hardware firewall couldnt stop that because it just dosses the apache.
Posted by qrees, 07-05-2006, 09:17 AM But the problems is that these connections are not listed when running netstat. This script will block IP if there are more then 150 connections from one IP. And there are not more then 40 connections from one IP, which is strange.
Posted by layer0, 07-05-2006, 10:10 AM Can you show us an example output of that netstat command? We may be able to resolve this for you. Thanks,
Posted by qrees, 07-05-2006, 11:47 AM When this happens again (now nobody is attacking) I'll post apache status and netstat output.
Posted by blackps, 03-06-2008, 09:00 PM wpc0688.host7x24.com.17209 > my doamin.http: UDP, length 10 this is a ddos attack,what must i do to block it?
Posted by jon-f, 03-06-2008, 09:51 PM make sure udp is closed on port 80. It will still use your server bandwidth though unless you get some type of network filtering.
Posted by Lightwave, 03-06-2008, 09:54 PM fwiw, blackps wasnt the op, so help for him is obviously going to be significantly different (mainly in that he seems a lot more clueless).
Posted by blackps, 03-06-2008, 09:58 PM i can close the port but iptables can't close the port for ddos flood,and they can use another port,can somebody help please?
Posted by ASVJSC, 03-06-2008, 10:08 PM Why dont you check your access log at attacked time?? you can find out IP and refer was attacked. I'm not got at English..
Posted by greg14unix, 03-08-2008, 01:59 PM The script... netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Simply uses netstat to get a count of all TCP and UDP connections (on Linux) from a particular IP address. The output would be as follows... 6 192.168.1.230 20 192.168.1.210 50 192.168.1.221 n x .... (where n=count, and x=connecting IP) The problem is that this only counts host, not networks. You could use another cut statement to get a count of connections from a class based network (network based on the dots in IP instead of actual network subnet mask). If you wanted something that would count an entire class C network (192.168.1.x) you could use the script below. (the grep -v is to get the netstat headers out of the data output) netstat -ntu | grep -iv address | grep -iv server | awk '{print $5}' | cut -d: -f1 | cut -d. -f1,2,3 | sort | uniq -c | sort -n The output for the above script will be like such.... 4 192.168.1 20 10.1.12 600 172.16.8
Posted by TheITAdvisory, 03-08-2008, 06:07 PM Hello op, I'd like to ask you a few questions, and perhaps provide some tips for you. issue this command cat /proc/sys/net/ipv4/tcp_syncookies what is the value of this? if it is 0, then please issue this: echo "1" /proc/sys/net/ipv4/tcp_syncookies now issue cat /proc/sys/net/ipv4/tcp_syncookies make sure the value is now 1 Then I'd like for you to issue this command; cat /proc/sys/net/ipv4/conf/eth0/rp_filter what is the value of this result? if it is 0 then issue this command; echo "1" /proc/sys/net/ipv4/conf/eth0/rp_filter then again cat /proc/sys/net/ipv4/conf/eth0/rp_filter make sure the value is now 1. If this is one single IP, you can ban them in apf by doing; apf -d xxx.xxx.xxx.xxx Attacker Description Here xxx.xxx.xxx.xxx of course represents the IP of the suspected attacker, and the description is optional. I hope this has helped you in some way. Best Regards,
Posted by blackps, 03-09-2008, 12:37 AM i did try apf to block nothing,apf can't block a ddos attack ( there is really no way to block a ddos attack on my server..i really need some help...
Posted by blackps, 03-09-2008, 12:39 AM i did try apf to block nothing,apf can't block a ddos attack ( there is really no way to block a ddos attack on my server..i really need some help...
Posted by natsh, 03-09-2008, 12:43 AM you may want to hire someone to see whats going on...
Add to Favourites 
Print this Article
