DDOS attack please help!


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Old 07-02-2014
Power DDOS attack please help!

Dear community,
my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql.
I identified the IPs who attack me and block it through iptable firewall from debian.
Something like:
Code:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

This works perfect, but the attacker just completely change the IP addresses.

What I'm thining to do is create a rules with iptables who accept a total ammount of requests from the same IP and the DROP if the ammount is exceeded. Something like:

Code:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

The problem here is maybe I miss something because if I refresh the webpage 6/7 times it just drop me the other requests. Maybe I don't understand how "--seconds 60 --hitcount 10" works.

Could you please help me to create a rules to try to block new requests if they come togheter at the same time like an attack?

Many Thanks
Lucas
# 2  
Old 07-02-2014
It might be easier to block (temporarily) based on other information like a token in the User Agent string.
# 3  
Old 07-02-2014
The problem is how many "temporarily"? If the attack continues for days and days I'll be out for such time. What about iptables drop idea?
# 4  
Old 07-02-2014
It's hard to use iptables effectively to mitigate an DDOS attack with changing IP addresses.

Most attackers easily change IP addresses; but they forget to change the User Agent string, so it's often easier to block the hackers User Agent string. Did you do any analysis on the UA strings?

Also, if you are using Apache2, there may be an anti-DDOS module, as I recall.
This User Gave Thanks to Neo For This Post:
Corona688 (11-25-2014)
# 5  
Old 07-02-2014
Note:

You might also try the Apache2 "mod_evasive" mod.
This User Gave Thanks to Neo For This Post:
babinlonston (02-04-2015)
# 6  
Old 11-25-2014
Fail2ban could be an option also, I use it on my mail server with good results
# 7  
Old 01-04-2015
Wrench

A few alternative thoughts:
  1. Is the server overloaded, so you need to stop the DDOS before it gets to the server? You could potentially throttle concurrent connections upstream at your firewall, assuming you have one upstream of your server.
  2. If you have something less public (for your use only) - you could try security by obscurity, and move the port you've exposed your apache server on (move it from TCP port 80/443 to 90/7443 or something). If it isn't a managed DDOS, the bots won't generally find you again. To use it, the url becomes site:90/path It's an emergency workaround, but probably not a good long-term fix.

Last edited by rbatte1; 01-05-2015 at 08:21 AM.. Reason: Set LIST=a tags to format the list better
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Anti ddos shell script, is it useful? tomislav91 UNIX for Advanced & Expert Users 1 11-22-2018 12:55 AM
DDoS and brute force attack romanepo Cybersecurity 1 01-29-2014 10:26 AM
DDoS Simulation Tools boriskong Cybersecurity 1 06-12-2013 04:37 AM
UUCP attack? ctafret Cybersecurity 4 10-29-2010 03:33 PM
Network attack - so what? Action Cybersecurity 10 05-14-2010 09:17 PM
Found attack from jld Cybersecurity 1 01-29-2010 03:26 PM
What I think is a DoS attack ccj4467 Cybersecurity 1 01-28-2010 11:27 AM
what is the better way to protect my server from DDos Attack a7medo Cybersecurity 4 08-28-2008 03:50 AM
Replay Attack Ashvin Gaur Cybersecurity 3 05-27-2008 07:22 AM
Bruteforce attack on my pc rdns UNIX for Dummies Questions & Answers 6 10-16-2007 02:37 PM