0

Not sure if SO is the right forum, but we're in need of help and perhaps programmatic elements may comprise the final solution. Instead of downvoting, please recommend where to post this question, and we'll gladly remove this from SO. Thanks -- we just want to overcome this attack.

It seems like our ecommerce site is under attack from a botnet, causing our site to go down. We're receiving 50-100 requests per second (far surpasses normal traffic). Some requests are for outdated URLs not even normally accessible from the site.

Two questions:

1) How do we confirm if the site is under attack?

2) If the site is under attack, how can we ward off the attack and prevent future ones?

We appreciate any help or guidance anyone can offer.

We're using Tomcat 6.0. (Don't ask why. You don't want to know.)

Thanks!

Crashalot
  • 167
  • 3
  • 11
  • Howdy,Are the requests coming from the same IP address or same subnet. Can you take the IP and perform a reverse DNS lookup to see from where it is originating. You didn't mention which OS. But whatever you are using, how about blacklisting the range of IP addresses that you suspect are attacking? – Soham Chakraborty Mar 17 '14 at 06:46
  • http://serverfault.com/questions/531941/i-am-under-ddos-what-can-i-do – user9517 Mar 17 '14 at 06:49
  • thanks @SohamChakraborty. we're pulling the IP data now. will repost in a bit. we're on windows, sadly. (again, don't ask. you don't want to know.) – Crashalot Mar 17 '14 at 07:00
  • One other data point: we seem to have a ton of sleeping MySQL connections that continue to crop up even after we try killing them. Is this symptomatic of a botnet attack? – Crashalot Mar 17 '14 at 07:02

1 Answers1

1

(edit: I just saw your comment that you run Windows. This won't help you then :( )

If you can, have your network provider null-route the traffic.

You can also do something like this to limit the amount of connections per source IP:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set

This sets a limit of max 10 new connections per 60 seconds. For the specified port (ssh) this is fine, but port 80 will have to handle more under normal conditions (every image, javascript file, etc, is a connection).

You would have to experiment, but I'd start with:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set

That's assuming you're not using port 443.

Halfgaar
  • 7,921
  • 5
  • 42
  • 81