0

Our web server (Nginx, MySQL, PHP) is presently being attacked by DDOS.

Outgoing traffic is normal (avg 563 kb/sec) but incoming traffic is what is eating up our 1gbit port (avg 800Mb/sec).

In the Nginx access log, I noticed a POST request to a 499 error coming from 10-15 unique IPs very repeatedly to a support ticket system with have installed (/support/index.php - running OSTicket). I blocked INPUT/OUTPUT on these IPs in iptables. I don't think this did anything but it was odd none-the-less considering these IPs were repeating the POST request ever few seconds.

How can I pinpoint the problematic IPs and block them from sending massive incoming requests?

EDIT: Here is a printout of iptables -L -v http://pastebin.com/cyGLKJh4

reefine
  • 239
  • 5
  • 11

2 Answers2

2

If they're straight-up saturating your pipe, then they have no need of making HTTP requests, or even of getting through your iptables rules at all - getting the traffic routed to your device is sufficient to prevent service.

With that in mind, you can certainly identify the source hosts with something like tcpdump - but you really can't do anything in terms of prevention without getting your ISP or provider involved, as they'll need to block the traffic at a router or firewall before it is sent to your device to do any good.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
2

Short term - ask your host / ISP to block the IPs at their level

Longer term - try to track down the owners of those IPs (or the ISPs who supply them) and tell them that they've been compromised and are being used as part of DDOS botnet

Shish
  • 1,495
  • 9
  • 12