Attacks on my server

[Crazy4]

I run a small private Swedish music sharing site.

From the past 3 days, there have been continuous attacks on my server

The httpd sessions are being flooded and the httpd load rises to: 200 - 600

Which makes the server almost inaccessible to everyone.

I think this is a kind of a port flooding or something similar

I am currently using : iptables | CSF

when I do netstat

 1 122.108.26.155
      1 123.125.66.53
      1 125.60.235.227
      1 153.91.179.159
      1 173.34.53.110
      1 189.107.34.88
      1 199.26.172.101
      1 207.255.68.18
      1 68.59.75.67
      1 69.14.246.119
      1 75.70.252.36
      1 85.66.74.97
      1 99.235.95.110
      1 Address
      1 servers)
      2 110.137.110.242
      2 114.120.223.71
      2 117.200.208.97
      2 124.253.162.209
      2 212.46.40.198
      3 110.49.49.16
      3 222.252.86.165
      3 65.37.18.45
      3 71.249.108.199
      4 125.27.164.64
      4 125.99.159.182
      4 76.239.185.200
      4 89.186.120.188
      4 91.36.221.175
      5 115.252.44.80
      5 202.162.200.2
      5 24.16.253.143
      5 58.9.139.83
      6 118.68.252.39
      6 122.169.241.132
      6 124.83.27.159
      6 203.98.112.166
      6 58.168.212.160
      6 67.106.77.21
      7 222.155.207.243
      8 114.128.121.99
     10 114.143.57.17
     16 118.90.34.106
     18 121.98.182.15
     18 86.171.230.35
     46 127.0.0.1

I would really appreciate if any of you could take an initiative to help me out, if things go well enough.. I might even donate to you for helping me out

Awaiting Response,
Crazy4
​

 

[Xman]

i don't believe that is a flood really

if i am correct a flood is many connections from an ip

in which then in ssh you use this command

iptables -I INPUT -s IPHERE -j DROP

replace IPHERE with the current IP you want to drop

 

[BlaZe]

Just close down your Server for about 2-3 days.

This will help you for sometime.

But Install some Anti-DDos Security on the Server.
I would suggest you to give the Tight Security work to Professional Technicians.
As you cannot compromise the security.

Hope this helps you out

=========
EDIT:
Alternately, you can see this article
Limit IP Connections on Linux

 

[Crazy4]

Thank you for replying, bt I am unable to find someone that professional and trusted.

But Install some Anti-DDos Security on the Server.

Any recommendations?

 

[EvilGenius]

just use the iptables method above.

 

[BlaZe]

Thank you for replying, bt I am unable to find someone that professional and trusted.



Any recommendations?

Yes.
(D)DoS-Deflate (Effective DoS Protection)

Better if you don't compromise on Security. If you are expert, then you can do it, else look at the thread below.
Server Management Company List

 

[Crazy4]

Thanks,

Any other Anti-DDOS Paid/Free opensource scripts you know of mate?

I really need to get this sorted on time.

Thanks

 

[Dell23]

in stall server fire wall http://www3.wiredgorilla.com/content/view/274/1/
could be a small DDos

 

[Crazy4]

In minutes the load goes above 30 - 200

CSF or APF which is the best?

Is there any best commercial one available too?

Appreciate everyone out here :D

Thanks again

A friend over MSN adviced to put a cron for httpd restart.

Can any one guide me how do I get it working

I added it on crontab -e

but I dont think it restarts

 

[DXS]

If you have SSH on your server...

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

type that in and it will give you a list of IPs that are connected and how many connections they have.

If you know you are being attacked and by which IP, simply drop the connection with SSH using:

/sbin/iptables -A INPUT -s 127.0.0.1/16 -j DROP

(replace 127.0.0.1 with the IP address you want dropped).
*I heard the second command bans IPs but I'm not sure but it worked for me...*

 

[Crazy4]

load average: 454.62, 405.29, 246.37

As I pasted in my topic, there are a number of IPs, which looks like a botnet.

Any tip on that please?

 

[BlaZe]

Is there any best commercial one available too?

Appreciate everyone out here :D

Thanks again

Yes. There are many Commercial Ones. Just Google

http://www.blockdos.net/
http://www.intruguard.com
http://total-security-protection.com

 

[Crazy4]

Netstat output again:

1 0.0.0.0
1 113.199.174.19
1 114.137.227.91
1 115.147.110.26
1 115.187.40.12
1 115.240.119.183
1 115.75.199.168
1 117.193.97.87
1 117.195.231.53
1 117.240.251.151
1 118.107.241.10
1 119.63.198.18
1 119.63.198.30
1 119.63.198.39
1 119.92.163.220
1 119.95.219.97
1 121.241.165.42
1 121.54.92.114
1 124.13.51.86
1 124.82.21.90
1 125.160.17.33
1 125.161.50.81
1 125.167.23.70
1 125.208.185.50
1 125.212.69.235
1 125.63.73.116
1 166.216.224.12
1 180.183.33.68
1 189.155.55.186
1 189.46.11.102
1 196.202.102.8
1 196.202.210.103
1 196.25.99.6
1 200.25.197.110
1 203.81.163.66
1 212.102.0.101
1 212.118.142.230
1 213.231.133.111
1 216.232.236.175
1 219.64.144.225
1 220.225.238.245
1 222.127.83.37
1 41.233.177.186
1 58.69.147.171
1 58.69.225.228
1 59.178.209.231
1 59.94.191.185
1 59.95.100.247
1 60.48.145.73
1 64.20.55.226
1 64.255.180.83
1 65.60.53.114
1 66.249.71.41
1 68.183.228.247
1 69.79.68.248
1 70.77.165.150
1 71.194.233.113
1 71.83.191.62
1 74.161.1.77
1 74.216.109.168
1 74.220.215.78
1 74.54.218.194
1 75.126.64.100
1 76.105.235.233
1 76.117.7.94
1 76.176.154.34
1 76.177.246.79
1 76.23.31.203
1 76.243.139.171
1 85.102.213.203
1 85.107.87.71
1 85.231.128.31
1 86.35.146.79
1 89.108.78.57
1 91.184.217.179
1 92.229.111.95
1 93.129.125.217
1 93.186.72.161
1 94.96.100.98
1 96.36.28.82
1 98.207.169.216
1 98.238.123.74
2 112.202.153.213
2 114.143.61.50
2 117.194.98.207
2 117.240.251.157
2 117.241.212.40
2 119.73.5.62
2 122.167.84.219
2 122.174.84.214
2 123.19.4.202
2 124.124.44.149
2 190.95.19.46
2 201.88.70.130
2 202.150.63.35
2 202.71.180.226
2 202.79.19.79
2 204.228.226.16
2 212.119.73.227
2 59.181.104.29
2 59.93.247.164
2 59.95.165.86
2 64.229.25.171
2 64.71.190.134
2 65.104.144.2
2 66.50.212.236
2 67.202.12.5
2 67.87.35.217
2 70.32.92.174
2 72.52.250.152
2 77.105.6.137
2 77.191.8.26
2 86.60.41.222
2 88.113.17.182
2 88.220.189.228
2 94.97.24.31
2 94.98.183.40
2 97.123.70.233
2 99.181.97.50
3 110.22.237.47
3 115.74.107.169
3 117.198.97.85
3 118.90.34.106
3 121.58.202.150
3 124.125.172.90
3 124.217.71.254
3 173.17.43.186
3 174.22.197.22
3 188.187.132.97
3 203.84.170.154
3 59.96.99.110
3 60.52.32.189
3 65.40.255.166
3 67.188.105.16
3 70.143.87.254
3 72.30.65.41
3 76.15.212.47
3 94.97.74.125
4 110.36.7.171
4 117.97.74.163
4 119.235.54.101
4 121.1.30.86
4 121.96.138.44
4 125.161.49.107
4 186.58.3.123
4 207.216.148.63
4 217.54.243.190
4 41.209.116.180
4 75.132.25.67
4 75.159.250.184
4 78.0.69.74
4 89.211.68.205
5 112.202.233.252
5 124.191.19.183
5 140.131.84.143
5 174.46.242.117
5 202.184.111.86
5 207.112.36.3
5 60.51.4.233
5 72.130.181.0
5 74.46.241.106
5 81.18.57.181
6 117.194.227.98
6 125.237.244.102
6 188.2.135.175
6 59.97.225.218
6 67.177.72.28
6 79.177.80.94
6 98.117.113.82
7 113.22.188.5
7 190.135.40.23
7 203.30.254.170
7 218.111.16.205
7 58.136.51.175
7 59.178.177.172
7 59.92.85.137
7 70.70.153.144
8 119.155.101.245
8 123.238.83.6
8 124.106.169.64
8 60.51.15.110
8 72.30.142.226
9 202.90.98.50
9 218.111.16.230
9 58.68.8.190
10 112.201.218.67
10 202.42.193.10
10 41.238.142.242
13 41.103.11.62
15 99.163.82.108
16 59.95.30.65
20 75.40.34.190

 

[SplitIce]

FYI CSF is good but ensure its not in testing mode lol.

 

[Crazy4]

Ok, will have a look

CSF isn't that effective for me atm.

I am still trying the best to get the best tips to get this solved in time..

Any idea on which one is the best for a BOTNET , so that it checks each header before allowing it?

Server Specs:
Core 2 Duo
4 GB RAM
100 mbit

Thanks

 

[Sandino]

CSF has done amazing work for me. just keep looking at the log and banning those ip's . serverload should go down in seconds!

 

[Crazy4]

I am gonna try the fixes asap.

 

[SplitIce]

Tweak your csf, there is many config vars you can tweak (300+). If you really need help you can hire me for a hour to tweak csf and enable modules etc