Solution for DDOS

Question

My server is under DDoS attacks. I see my access log and get something:

 968966 93-97-53-41.zone5.bethere.co.uk - - [27/Jul/2011:12:13:58 +0700] "GET /forum/forum.php HTTP/1.1" 200 91231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.        1)"
 968967 61.120.148.12 - - [27/Jul/2011:12:13:39 +0700] "GET /forum/forum.php HTTP/1.0" 200 91539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968968 222.122.206.203 - - [27/Jul/2011:12:13:38 +0700] "GET /forum/forum.php HTTP/1.1" 200 91228 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968969 cable-27-4.botevgrad.com - - [27/Jul/2011:12:13:39 +0700] "GET /forum/forum.php HTTP/1.1" 200 91228 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968970 213.197.182.78 - - [27/Jul/2011:12:13:39 +0700] "GET /forum/forum.php HTTP/1.0" 200 91539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968971 200.27.142.30 - - [27/Jul/2011:12:13:39 +0700] "GET /forum/forum.php HTTP/1.0" 200 91539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968972 189.77.140.57 - - [27/Jul/2011:12:13:35 +0700] "GET /forum/forum.php HTTP/1.0" 200 91539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968973 221.226.9.22 - - [27/Jul/2011:12:13:58 +0700] "GET /forum/forum.php HTTP/1.1" 200 91542 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968974 ::1 - - [27/Jul/2011:12:14:03 +0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 968975 221.226.9.22 - - [27/Jul/2011:12:13:58 +0700] "GET /forum/forum.php HTTP/1.1" 200 91231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 968976 ::1 - - [27/Jul/2011:12:14:03 +0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"

I don't have any experiences about DDoS, please help me find and resolve issue? :( My server is CentOs 5.4 Apache 2.2 and PHP 5.2.6.

Thanks,

do you have the resources to place a hardware firewall in front of the server? — SpacemanSpiff, Jul 27 '11 at 05:44

score 4 · Answer 1 · answered Jul 27 '11 at 05:52

4

A DDOS is a tough thing. By the time it's reached your server, or your network, it's already too late. Call your ISP. They're the proper ones to deal with a DDOS attack. Give them as much information as possible so they can find a pattern and block it.

answered Jul 27 '11 at 05:52

Jason Berg

18,954
6
38
55

score 1 · Answer 2 · edited Apr 13 '17 at 12:14

1

As Jason already pointed out, your best current option is to call your ISP/Hoster for help.

After that, sign up for a CDN, if possible - they thwart most DDoS'es by design, or at least, make them only a localized nuisance. There are many CDN's which provide some free plan, which might be sufficient for you. I heard good stuff about CloudFlare, and used it a bit at some point. YMMV.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 03 '13 at 13:04

Roman

3,825
3
20
33

score 0 · Answer 3 · answered Jul 27 '11 at 05:51

0

Theoretically, u can use Client Puzzle to solve DDos attack. Depend on the situation, you may use different kind of puzzle to solve your problems.

[May I know, how do you know if you are under DDos attack from above log?]

answered Jul 27 '11 at 05:51

alexandriaco

19
2

I use this command: watch "netstat -an | grep ':80' | awk '{print \$5}' | sed s/'::ffff:'// | cut -d\":\" -f1 | sort | uniq -c" and found a lot of requests from each IP in my access-log. So I think my server attacked by DDoS. – Tuan Ngo Jul 27 '11 at 06:47
1

CPP won't help you if the traffic is saturating your upstream links. The only thing you can do is work with your provider to blackhole the traffic. – Tom O'Connor Jul 27 '11 at 07:37
Without the additional double-quotes, the command by Tuan is as: netstat -an | grep ':80' | awk '{print $5}' | sed s/'::ffff:'// | cut -d":" -f1 | sort | uniq -c – siliconpi Jan 13 '16 at 07:57

ILLUSION · Answer 4 · 2013-07-03T12:58:54.497

-1

For a quick fix if you are aware of active DDOS
The page/site/portal where you are being DDOSed in the index.php pnly (or however you are handling the code flow in case of mvc) you can restrict the hacker's IP and return him true or false. and prevent him from hampering your Database.
As avoiding abusive traffic and returning a sorry page would always be a better way than letting them impact the database.

edited Jul 03 '13 at 12:58

answered Jul 03 '13 at 12:52

ILLUSION

1
3

2

You unfortunately seem to have a fundamental misunderstanding of a DDoS: good Luck trying to block those thousands of IPs. Also, there is the same issue present with a CPP: upstream bandwidth. – Roman Jul 03 '13 at 13:10
100% agree in case if there are thousands of the IPs which are targeting. But as the log posted shows me few I suggested the quick fix of blocking those which are actively attacking (which was happening in my own case).
Also in case if they are many and are targeting one portal and and which ultimately is hitting the database i am using for multiple clients, I'd prefer to block/take down one portal for a while. Any wise suggestion to clear my fundamental misunderstanding will be a great help. – ILLUSION Jul 03 '13 at 15:28

Solution for DDOS

4 Answers4