DDOS attack please help!


 
Thread Tools Search this Thread
Homework and Emergencies Emergency UNIX and Linux Support DDOS attack please help!
# 1  
Old 07-02-2014
Power DDOS attack please help!

Dear community,
my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql.
I identified the IPs who attack me and block it through iptable firewall from debian.
Something like:
Code:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

This works perfect, but the attacker just completely change the IP addresses.

What I'm thining to do is create a rules with iptables who accept a total ammount of requests from the same IP and the DROP if the ammount is exceeded. Something like:

Code:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

The problem here is maybe I miss something because if I refresh the webpage 6/7 times it just drop me the other requests. Maybe I don't understand how "--seconds 60 --hitcount 10" works.

Could you please help me to create a rules to try to block new requests if they come togheter at the same time like an attack?

Many Thanks
Lucas
# 2  
Old 07-02-2014
It might be easier to block (temporarily) based on other information like a token in the User Agent string.
# 3  
Old 07-02-2014
The problem is how many "temporarily"? If the attack continues for days and days I'll be out for such time. What about iptables drop idea?
# 4  
Old 07-02-2014
It's hard to use iptables effectively to mitigate an DDOS attack with changing IP addresses.

Most attackers easily change IP addresses; but they forget to change the User Agent string, so it's often easier to block the hackers User Agent string. Did you do any analysis on the UA strings?

Also, if you are using Apache2, there may be an anti-DDOS module, as I recall.
This User Gave Thanks to Neo For This Post:
# 5  
Old 07-02-2014
Note:

You might also try the Apache2 "mod_evasive" mod.
This User Gave Thanks to Neo For This Post:
# 6  
Old 11-25-2014
Fail2ban could be an option also, I use it on my mail server with good results
# 7  
Old 01-04-2015
Wrench

A few alternative thoughts:
  1. Is the server overloaded, so you need to stop the DDOS before it gets to the server? You could potentially throttle concurrent connections upstream at your firewall, assuming you have one upstream of your server.
  2. If you have something less public (for your use only) - you could try security by obscurity, and move the port you've exposed your apache server on (move it from TCP port 80/443 to 90/7443 or something). If it isn't a managed DDOS, the bots won't generally find you again. To use it, the url becomes site:90/path It's an emergency workaround, but probably not a good long-term fix.

Last edited by rbatte1; 01-05-2015 at 09:21 AM.. Reason: Set LIST=a tags to format the list better
Login or Register to Ask a Question

Previous Thread | Next Thread

5 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Anti ddos shell script, is it useful?

Hi guys, just need a opinion from you. I found anti ddos script from github Script What is your opinion about it? Is it usefull? Do you have some similar? I want to protect my servers on all levels, why not in the servers via script. I assume I must fix this script to be useful for me, but... (1 Reply)
Discussion started by: tomislav91
1 Replies

2. Cybersecurity

DDoS and brute force attack

How to protect DDoS and brute force attack. I want to secure my server and block attacker. (1 Reply)
Discussion started by: romanepo
1 Replies

3. Cybersecurity

DDoS Simulation Tools

are there any popular DDoS simulation tools to test my own infrastructure? Anyone tried to setup all these in AWS EC2? (1 Reply)
Discussion started by: boriskong
1 Replies

4. Cybersecurity

Network attack - so what?

In my logs I find entries about attacks on my system. I know IP addresses, I know date and time and I know what they tried to do. So what's the best I can do now? Tell everybody that there are cybercriminals on that network? Write an email to their admin? Anything else? (10 Replies)
Discussion started by: Action
10 Replies

5. Cybersecurity

what is the better way to protect my server from DDos Attack

heloo today i have DDos Attack in my server what is the better way to secure my server from DDos Attack i use CentOS 4&5 i try every firewall and talk to softlayer - iweb i've Tried every possible solutions but I can not find a solution to the problems Give Me The best way plzz (4 Replies)
Discussion started by: a7medo
4 Replies
Login or Register to Ask a Question