Ddos attack, Please help me...

[apnakohat]

Hello,
My server is under attack from last 2 days i have contacted Softlayer team but problem was not solved. here is what i m facing.

when i use the command


netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

there is no such IP which have more connections established. but when i use the command

netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort

here is what i get

[root@server ~]# netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort
1 0.0.0.0:80
191 first IP, which is shared IP i mean have many sites on it
988 here is under attack IP only one main site on it.

as you see the second one seems to be under attack the connection even reached 2000 its very much up and down.

Now the point is why its now showing with the first command that which Ip is making that much connection?

+ i m running Ddos defleate, CSF, also i will let you people know that Softlayer team nulled routed the IP for some time, but the problem was not solved.

Please guide me.

Regards.

 

[~ServerPoint~]

No one then your web hosting company will be able to solve that. I think that you need to do more efforts on moving the company you are with to help you

 

[webgater]

Install Mod Evasive
protect from Dos Attack

cd /usr/local/src

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

tar -zxf mod_evasive_1.10.1.tar.gz

cd mod_evasive

/usr/local/apache/bin/apxs -cia mod_evasive.c

cd /usr/local/apache/conf

pico rules.conf

but this rules

<IfModule mod_evasive.c>  
DOSHashTableSize 3097  
DOSPageCount 5  
DOSSiteCount 100  
DOSPageInterval 2  
DOSSiteInterval 2  
DOSBlockingPeriod 600  
</IfModule>

Then save

edit apache

pico /usr/local/apache/conf/httpd.conf

search loadmodule by ctrl+ w

but this line under module

Include /usr/local/apache/conf/rules.conf

Then

service httpd restart

i Hope it useful

 

[frm]

VERY SIMPLE METHOD:

change your NS in your domain to microsoft.com . Wait several hours.
DDos bot will die. After that change NS to your site again

 

[apnakohat]

Install Mod Evasive
protect from Dos Attack

cd /usr/local/src

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

tar -zxf mod_evasive_1.10.1.tar.gz

cd mod_evasive

/usr/local/apache/bin/apxs -cia mod_evasive.c

cd /usr/local/apache/conf

pico rules.conf

but this rules

<IfModule mod_evasive.c>  
DOSHashTableSize 3097  
DOSPageCount 5  
DOSSiteCount 100  
DOSPageInterval 2  
DOSSiteInterval 2  
DOSBlockingPeriod 600  
</IfModule>

Then save

edit apache

pico /usr/local/apache/conf/httpd.conf

search loadmodule by ctrl+ w

but this line under module

Include /usr/local/apache/conf/rules.conf

Then

service httpd restart

i Hope it useful

I have done all this whats next i mean do i have to make any changes?

 

[webgater]

ok wait some time c if Attack still
i will back for u with another way

 

[apnakohat]

Well Spotgater after installing it my server cpu usage was 94 % and memory usage was 90 % but after some time its reduced to

Server Load 0.65 (4 cpus)
Memory Used 46.9 %

 

[webgater]

fine
it's agood news
update if u need any help we will with u all time
Thanks You
Mada AB

 

[apnakohat]

[root@server conf]# netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort
1 0.0.0.0:80
1004 underattack IP here


The connections are still there

well i can't understand why its showing tht much connections with the above command and when i try

[root@server conf]# netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
1 0.0.0.0
1 116.72.249.91
1 117.96.47.135
1 117.97.151.246
1 117.97.4.165
1 119.152.246.113
1 122.161.58.22
1 122.163.76.63
1 122.163.81.51
1 122.164.157.37
1 122.52.111.5
1 123.176.42.84
1 125.62.102.192
1 193.251.135.123
1 195.229.235.39
1 195.229.235.40
1 195.229.237.39
1 202.163.65.206
1 202.163.71.225
1 202.177.247.183
1 202.53.8.51
1 210.150.10.109
1 210.173.180.157
1 38.98.19.67
1 41.211.81.13
1 58.61.33.230
1 58.65.203.33
1 58.65.217.139
1 59.178.62.141
1 72.14.193.166
1 77.42.226.84
1 82.6.64.176
1 83.4.223.237
1 86.13.240.234
2 119.95.23.36
2 121.247.67.126
2 196.35.158.181
2 203.153.44.130
2 41.204.224.16
2 41.221.17.52
2 59.160.166.141
2 59.94.106.12
2 62.221.110.45
2 66.249.90.136
2 74.125.74.37
2 77.64.37.144
2 81.156.128.42
2 85.101.255.159
3 195.229.242.57
4 122.162.169.234
4 203.196.249.174
4 212.102.0.102
5 117.97.31.174
5 121.1.14.78
5 59.164.101.143
6 116.71.159.120
6 59.95.65.202
6 72.14.220.136
6 76.102.69.253
7 116.71.152.177
7 119.30.65.232
7 125.18.235.215
7 58.65.203.48
8 84.47.230.14
9 195.229.235.36
9 203.81.228.35
10 77.46.174.70
11 117.97.158.217
12 122.55.234.160
12 79.131.41.229
16 195.229.237.36
16 90.190.190.36
17 210.2.175.195
18 202.125.143.75
20 123.237.20.154
20 41.220.163.130
21 85.185.70.254
23 119.30.70.24
27 117.98.38.246
31 78.38.128.124
33 218.111.154.150
40 121.246.210.161
40 84.222.19.109
43 59.145.136.1
43 82.201.244.203
49 59.160.16.5
53 220.225.151.99
57 117.102.16.126
83 59.96.55.208

there is no such IP with that much connections

 

[webgater]

well

antoher way


Installation

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Uninstalling

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Version 0.6 | Change Log

whitelisting possible by adding IPs in /usr/local/ddos/ignore.ip.list
it uses this file to avoid banning the ip again (it was handling this differently and was a bit slower too)

Version 0.6 | Upgrade Procedure

It remains the same as last time (uninstall and reinstall the script), and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)

 

[apnakohat]

well

antoher way


Installation

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Uninstalling

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Version 0.6 | Change Log

whitelisting possible by adding IPs in /usr/local/ddos/ignore.ip.list
it uses this file to avoid banning the ip again (it was handling this differently and was a bit slower too)

Version 0.6 | Upgrade Procedure

It remains the same as last time (uninstall and reinstall the script), and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)

I already have that, still facing problems

 

[[AS]Richard]

What! SoftLayer can't help you! It's very hard for us to help since we don't have access to your server and know all the stuff SL does. What is your site?