Server DDOS attack

Asked

Viewed 360 times

4

Hello,

I have a server that is suffering DOS attack, I used the command:

watch -n1 'attackers'

in SSH to see the attacks. Basically it has an IP that makes some 380 connections, and makes the server fall in a few minutes.

I block the IP through the firewall, but it’s 30 minutes later and the funny boy changes his IP address and does the process again.

This has been going on for 5 days, and the Host support team can’t find a way.

I put my server sites on Cloudflare, but it didn’t even stop. I was told that it is a DDOS Layer 7..

Every time I get on the stand, I get a different way or they need time to do something there.

Someone has already gone through this and want to suggest some possible solution? I’m considering changing HOST.. But if I can do something better and avoid less hassle.

The server is LINUX. And the company I work for is Hostgator. Dedicated Pro.

  • 1

    Yes, and there are several ways to protect yourself. One of them is by configuring the WAF AWS in Cloudfront. This is something I also need to do on a site here.... to studying. But it is possible to do via application a control of requests.

  • 1

    sorry, I thought Cloudfare was from Amazon.... you’re in an environment I don’t know

  • Right friend. Thanks anyway for trying.

  • Which http server are you using? Apache?

  • Yes! It’s a Dedicated Pro plan from Hostgator, including great affection for the service.. I expected better support for the price. They serve well, but it’s that it takes 5 days to solve a DDOS problem that I believe even an 8-year-old learns and does is complicated, even more than it is in Layer 7, which I believe are server requests that are leaving the CPU 100% and dropping..

  • 1

    quick way to solve, develop a shell script, which counts the amount of IP’s from the same source making attempts to access, for ips with large number of attempts apply a drop rule with iptables, put your script in crontab to run every 1 minute...

  • 1

    install and configure the fail2ban that tbm will help you

  • Hello, @ederwander , if you need me to do that too. I’ll do what my friend Karl recommended, then I can measure what has been effective, right? Thanks too. And by the visa will close my topic. (, part.

Show 3 more comments

1 answer

4


The solution also depends on your version of Apache and Linux, I will put the solution with the mod_evasive of Apache2.

First install the mod_evasive

sudo apt-get -y install libapache2-mod-evasive

Create the log file:

sudo mkdir -p /var/log/apache2/evasive

Give permissions to the file:

sudo chown -R www-data:root /var/log/apache2/evasive

Change the file /etc/apache2/mods-available/mod-evasive.load

DOSHashTableSize 2048
DOSPageCount 20  # maximum number of requests for the same page
DOSSiteCount 300  # total number of requests for any object by the same client IP on the same listener
DOSPageInterval 1.0 # interval for the page count threshold
DOSSiteInterval 1.0  # interval for the site count threshold
DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
DOSLogDir 

Dospagecount Will define how many requests the user can make to the same page

Dossitecount Will define how many requests a same ip can make to the site

Dospageinterval and Dossiteinterval is the time interval in seconds for this count above

Dosblockingperiod is the time when it will be blocked in seconds

Restart the Apache:

sudo service apache2 restart

Be careful that depending on the metric you put it can bar human users.

  • Karl, I’m going to ask you to implement this service, and I’m coming back here to give you feedback. Thanks for the reply. :)

  • You don’t have access to the server via ssh? Because you implement it yourself and don’t depend on them.

  • I tried via SSH, but gave a warning: sudo: apt-get: command not found. I believe this "apt-get" is not available for use.

  • Type that uname -a on the terminal and see which linux you are using. Put the result here.

  • Linux yyy.xxx.com 2.6.32-696.20.1.el6.x86_64 #1 SMP Fri Jan 26 17:51:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux - I just hid the server there, afraid already with these funny attackers.. rsrs

  • 1

    Of course! Did right...strange...I think q is a Redhat he has q have some package manager, apt-get, yum, rpm

Show 2 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.