3

I have a site that was being hit with a DDOS the same time every day for the past month, and after spending a month researching and pinpointing the bug, we enacted a bash script which if the connection is reaching 80+ max connections in one minute then the IP is banned and put into IPTABLES.

This worked great for two days and I felt like I finally solved the problem.

But alas, now the person is sending multiple IPs with just one connection on each (review the output here http://pastebin.com/7AJqBfJa). This is bringing the site down just as it was when one IP was sending 150 connections per minute.

This of course is an entirely different ballgame when it comes to preventing a DDOS, and I am seeking help from the gurus and anyone nice enough to care, to give some advice. At this point I'm at a loss on how to fix this, and any help would be greatly appreciated.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
Zach Smith
  • 280
  • 2
  • 10

3 Answers3

5

As Niall mentioned, mod_evasive works really well in this situation and I recently used it to stop a very similar problem I was having on one of my sites. It helps in the situation where you aren't receiving a ton of connections on a single IP but you do see unnatural patterns occurring on the server.

In my case, which I also blogged about here, I installed mod_evasive and configured it with the following settings:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 100
DOSPageInterval 3
DOSSiteInterval 5
DOSBlockingPeriod 300
DOSLogDir "/var/log/httpd/modevasive/"
DOSEmailNotify your@emailaddress.com
</IfModule>

Basically, if a single IP requests the same resource (file) 3 times within 5 seconds; or 100 hits on any file within 5 seconds; Apache will then deny further requests to that file.

If you want to enhance this script; you can have system commands triggered when your parameters are hit. In my case, I added this command to the configuration above:

DOSSystemCommand "/usr/bin/sudo /usr/sbin/csf -td %s 3600"

This makes my firewall CSF block the IP for an hour. You could just as easily write an iptables script to do the same thing, but CSF makes it easy for me.

Anyway hope that helps you nail your DDOS attackers!

Dave Drager
  • 8,315
  • 28
  • 45
  • ty. i have set this up and will see how this works :) – Zach Smith Jan 25 '11 at 15:46
  • so i set up the config as such (http://pastebin.com/cQhKnnk5), and the site was hammered today and down for a total of 54 minutes! i set this up with conservative measures. now that we have it set up, what levels do i need to change to make this work better? – Zach Smith Jan 26 '11 at 03:53
  • What do you use as the firewall on the system? Plain-jane IPtables? – Dave Drager Jan 26 '11 at 17:06
2

You can use iptables to limit the number of connections per IP to the service in order to mitigate the DDoS until your iptables script catches them

iptables -A INPUT -p tcp -m limit --limit 3/s --dport DESTINATIONPORT --limit-burst 10 -m state --state NEW -j ACCEPT

This will limit new connections to 3 per second per with a maximum burst of 10 connections.

Be sure to fine tweak this to your needs, 3 connections per second is quite low depending on the traffic your server is running

lynxman
  • 9,157
  • 3
  • 24
  • 28
0

Presuming that you're running Apache, mod_evasive might be useful.

Niall Donegan
  • 3,859
  • 19
  • 17