Server DDOS attack

Question

Server DDOS attack

Asked 6 years, 4 months ago

Viewed 360 times

4

Hello,

I have a server that is suffering DOS attack, I used the command:

watch -n1 'attackers'

in SSH to see the attacks. Basically it has an IP that makes some 380 connections, and makes the server fall in a few minutes.

I block the IP through the firewall, but it’s 30 minutes later and the funny boy changes his IP address and does the process again.

This has been going on for 5 days, and the Host support team can’t find a way.

I put my server sites on Cloudflare, but it didn’t even stop. I was told that it is a DDOS Layer 7..

Every time I get on the stand, I get a different way or they need time to do something there.

Someone has already gone through this and want to suggest some possible solution? I’m considering changing HOST.. But if I can do something better and avoid less hassle.

The server is LINUX. And the company I work for is Hostgator. Dedicated Pro.

1

Yes, and there are several ways to protect yourself. One of them is by configuring the WAF AWS in Cloudfront. This is something I also need to do on a site here.... to studying. But it is possible to do via application a control of requests.

– Karl Zillner

2018/03/02 at 22:31
1

sorry, I thought Cloudfare was from Amazon.... you’re in an environment I don’t know

– Karl Zillner

2018/03/02 at 22:32
Right friend. Thanks anyway for trying.

– Ale

2018/03/02 at 22:34
Which http server are you using? Apache?

– Karl Zillner

2018/03/02 at 22:37
Yes! It’s a Dedicated Pro plan from Hostgator, including great affection for the service.. I expected better support for the price. They serve well, but it’s that it takes 5 days to solve a DDOS problem that I believe even an 8-year-old learns and does is complicated, even more than it is in Layer 7, which I believe are server requests that are leaving the CPU 100% and dropping..

– Ale

2018/03/02 at 22:38
1

quick way to solve, develop a shell script, which counts the amount of IP’s from the same source making attempts to access, for ips with large number of attempts apply a drop rule with iptables, put your script in crontab to run every 1 minute...

– ederwander

2018/03/02 at 23:23
1

install and configure the fail2ban that tbm will help you

– ederwander

2018/03/02 at 23:31
Hello, @ederwander , if you need me to do that too. I’ll do what my friend Karl recommended, then I can measure what has been effective, right? Thanks too. And by the visa will close my topic. (, part.

– Ale

2018/03/02 at 23:32

Show 3 more comments

1 answer

Browser other questions tagged server ddos

You are not signed in. Login or sign up in order to post.

by Karl Zillner • **873** points · Answer 1 · 2018-03-02T22:46:31+00:00

The solution also depends on your version of Apache and Linux, I will put the solution with the mod_evasive of Apache2.

First install the mod_evasive

sudo apt-get -y install libapache2-mod-evasive

Create the log file:

sudo mkdir -p /var/log/apache2/evasive

Give permissions to the file:

sudo chown -R www-data:root /var/log/apache2/evasive

Change the file /etc/apache2/mods-available/mod-evasive.load

DOSHashTableSize 2048
DOSPageCount 20  # maximum number of requests for the same page
DOSSiteCount 300  # total number of requests for any object by the same client IP on the same listener
DOSPageInterval 1.0 # interval for the page count threshold
DOSSiteInterval 1.0  # interval for the site count threshold
DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
DOSLogDir

Dospagecount Will define how many requests the user can make to the same page

Dossitecount Will define how many requests a same ip can make to the site

Dospageinterval and Dossiteinterval is the time interval in seconds for this count above

Dosblockingperiod is the time when it will be blocked in seconds

Restart the Apache:

sudo service apache2 restart

Be careful that depending on the metric you put it can bar human users.