2

My apache server is currently getting DDoSed. It looks like all the traffic is referrals from the file server of a russian file sharing site. How can I block only the traffic which is coming from the compromised site?

devnill
  • 307
  • 1
  • 2
  • 17

4 Answers4

8

None of these answers above will help.

If your site is under a DDoS attack, the only real, usable source of help is in the form of the technical contact at your upstream provider.

Yes, you can deny and drop packets at the edge of your network, but it won't make a wit of difference if your connection has already been saturated by the traffic coming in from the outside.

You need to work with your provider to drop the traffic when it reaches the outside of their network, which has lots of spare redundant capacity, and is a lot easier to apply whole null route blocks to.

Changing iptables, or rewrites on your webserver, might give you the impression of stopping an attack, but it's like trying to put a bandaid over a gashed artery.

The sheer volume of attack traffic can even overwhelm your kernel, if it's doing iptables stuff, dropping traffic takes up CPU time too. Get your ISP/Transit provider to do it.
It's easier from their point of view, too.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • 1
    Does not have to be necessarily true in every case. Quite depends on the nature of the DDoS/traffic. Paying an ISP for DDoS mitigation where you can help yourself is ... well getting a plastic surgery for a broken nail. – Fox Dec 18 '11 at 00:48
  • The problem is my connection, not the server itself. I'm only paying for a 10 megabit line so needless to say I'm a pretty easy target. Thanks for the advice! – devnill Dec 18 '11 at 01:19
2

You can defend your site from DoS(from any site) by simple limit number o existing connections per IP with iptables

This rule rejects more then 10 connections from one ip:

iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

And this logs the incidents:

iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j LOG --log-prefix "ABOVE_LIMIT"

Number of connections is only an example you must set your own value. But if you know that in this moment the DoS is flooding you from this russian site block this ip permamently

iptables -I INPUT -s X.X.X.X -j DROP

Where x.x.x.x is IP adres of this site.

B14D3
  • 5,110
  • 13
  • 58
  • 82
1

Most DDoS attacks come from numerous IP addresses, so blocking just a single IP address may not "fix the problem". However, in order for us to help you (in a true DDoS attack), we would need much more information, such as what type of DDoS is this - SYN flood, ICMP flood, Something else, etc...

To answer your specific question...

How can I block only the traffic which is coming from the compromised site?

Depending on your OS (is it Ubuntu? CentOS? Something else?) and how its configured (is it a VPS? Physical server you own?), you may be able to use IP Tables to block requests coming from a specific IP address:

iptables -I INPUT -s 1.2.3.4 -j DROP

If this doesn't answer your question, though, then give us more information about your configurations, log files, server architecture, what exactly is happening, etc...

David W
  • 3,405
  • 5
  • 34
  • 61
0

If by DDoS you mean a lot of regular users hitting your web and downloading something, your best bet is to reject those requests by the referer.

You'll best find by looking at logs (mind sharing few lines?).

So you set up something like this. You'll still get a lot of connections, but those get rejected quick and don't load your apache so much.

RewriteEngine on
RewriteCond %{HTTP_REFERER} referingsite.com [NC]
RewriteRule .* - [F]

Or you can do it the other way, and reject all requests that don't have empty referer or referer from your site.

Of course if it's just common DDoS, this won't help.

Fox
  • 3,887
  • 16
  • 23