2

my server is getting attacked, it seems to be a syn flood, and he is spoofing IP's.

sudo netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

returns this.

  ...
  4 94.144.63.102
  5 91.100.45.134
  6 62.199.203.97
  7 5.175.207.98
  7 77.68.246.5
 121 87.60.164.123
1920 127.0.0.1
2428 77.66.108.158

Now, i have attempted everything, i can't seem to stop it, it seems to be coming from datacenters.

I have attempted to individually IP ban, to no use, it keeps going. I installed fail2ban, and mod_security, i tried a lot of configurations to no luck, if i can lower the amounts pr ip to about 30, but then i have 200 ip's with 30 requests each.

Now, i signed up at cloud flare, and moved my DNS, but i wonder about this.

My site can be accessed via its IP, now, i know cloudflare just routes the traffic via their DNS, but can't he just flood my servers IP? Can i deny all direct IP traffic in Apache or what am i supposed to do to stop this attack?

I am a software developer, not a server admin.

I am running Debian Jessie, on a amazon EC2 instance, with Apache2 to handle requests.

EDIT I am 100% sure it was a DDOS, it was a SYN flood, i checked and i had a massive amount of connections pending on SYN. I moved the server behind cloudflare and changed the IP, it worked.**

user3908531
  • 21
  • 3
  • 4
    Possible duplicate of [I am under DDoS. What can I do?](http://serverfault.com/questions/531941/i-am-under-ddos-what-can-i-do) – gxx Jan 13 '16 at 01:07
  • 3
    That address is [a Tor exit node](http://ip.addr.space/77.66.108.158). Did you get someone mad at you? – Michael Hampton Jan 13 '16 at 01:09
  • Yeah .... you could say that ..... he is quite mad – user3908531 Jan 13 '16 at 01:11
  • I only have 2 ports open, port 80 and port 443, and he is attacking port 80 with a SYN flood – user3908531 Jan 13 '16 at 01:13
  • @MichaelHampton Is it even possible to do a SYN flood through Tor? As far as I know, the only way to get a Tor node to send a SYN packet is through a real TCP stack. – kasperd Jan 13 '16 at 09:35
  • @gf_ I'm not entirely convinced this is a DDoS attack. – kasperd Jan 13 '16 at 09:37
  • @Ivan I don't see any evidence to support a conclusion about SYN flooding or IP spoofing. Did you try blocking the traffic properly? Could look like this: `iptables -I INPUT -s 77.66.108.158 -p tcp -j REJECT --reject-with tcp-reset` – kasperd Jan 13 '16 at 09:42
  • 1
    @kasperd Right, a Tor exit will only open full connections. Of course, the OP has not provided enough information to determine the state of these connections. – Michael Hampton Jan 13 '16 at 13:57
  • @MichaelHampton I have a guess about which site this is. If my guess is correct, it is entirely possible the administrator himself is connecting to his Amazon instance through Tor because he don't want to be found by the authorities. And the large amount of traffic could simply be due to recent media exposure. – kasperd Jan 13 '16 at 14:25

3 Answers3

0

You can set cloudflare to proxy the http connections, then you won't appear in DNS entries. This doesn't help you if the attacker already has your IP address. I recommend you enable cloudflare's proxying and then change your IP address.

Jayen
  • 1,827
  • 3
  • 16
  • 27
  • 1
    Deny all traffic, then explicitly allow traffic only from the IP addresses that Cloudflare publishes : https://www.cloudflare.com/ips/ – Tim Jan 13 '16 at 05:14
0

You can use iptables to blacklist the IPs (or whitelist cloudflare if they are proxying your web services), but that won't stop the SYN packets from coming in; it only means that they won't appear in netstat. Also, might be more server admin than you want.

Jayen
  • 1,827
  • 3
  • 16
  • 27
0

**I am 100% sure it was a DDOS, it was a SYN flood, i checked and i had a massive amount of connections pending on SYN. I moved the server behind cloudflare and changed the IP, it worked.****

user3908531
  • 21
  • 3