Status
Not open for further replies.
I dont think some host company would want to host site thats being ddosed, thats my first time.

I really hope the sh*t if any, paid good amount the money to ddos vps, i can imagine that the money can be spent with better way as to buy ddos service, but lol we have on the planet people with no brain.
 
Last edited:
"when there is no one from support to do it?"

Hosting support cant do much, isp nullrouted my vps ip, will be auto unblock if ddos stops after 4-6hrs, but there a poblem since it seems the ddos stops once the server is off or not reachable, then once online it starts again.
 
So it seems its ddos to domain name, we have changed ip in the ns servers to non existing ips so now vps ip dont get ddosed, but we cant use domain, as for now...
 
Stay away from knownsrv and keito0015 who will block it, when there is no one from support to do it?

We can block small to medium sized attacks on a VPS which is much more than any other provider would do for a client, as opposite to only nullrouting a destination IP address.
 
AHA!

whats the hell qha.cc ?? does those ips ddos vps ?

/var/log/messages

Sep 5 04:39:40 hosted named[1479]: client 50.7.182.148#63778: no more recursive clients: quota reached
Sep 5 04:39:44 hosted named[1479]: client 50.7.180.203#42796: no more recursive clients: quota reached
Sep 5 04:39:51 hosted named[1479]: client 50.7.182.148#58579: no more recursive clients: quota reached
Sep 5 04:39:56 hosted named[1479]: client 50.7.182.148#1365: no more recursive clients: quota reached
Sep 5 04:39:59 hosted named[1479]: client 50.7.180.203#34503: no more recursive clients: quota reached
Sep 5 04:40:02 hosted named[1479]: client 50.7.180.203#55253: no more recursive clients: quota reached
Sep 5 04:40:17 hosted named[1479]: client 50.7.182.147#56478: no more recursive clients: quota reached
Sep 5 04:40:18 hosted named[1479]: client 50.7.182.147#63839: no more recursive clients: quota reached
Sep 5 04:40:18 hosted named[1479]: unexpected RCODE (REFUSED) resolving 'qha.cc/ANY/IN': 217.70.177.40#53
Sep 5 00:06:02 hosted named[1479]: client 81.2.194.154#18146: no more recursive clients: quota reached
Sep 5 00:06:23 hosted named[1479]: client 81.2.194.154#3004: no more recursive clients: quota reached
Sep 5 00:06:26 hosted named[1479]: client 81.2.194.154#31181: no more recursive clients: quota reached
Sep 5 00:06:28 hosted named[1479]: client 81.2.194.154#2110: no more recursive clients: quota reached
Sep 5 00:06:31 hosted named[1479]: client 81.2.194.154#28282: no more recursive clients: quota reached
Sep 5 00:06:33 hosted named[1479]: client 81.2.194.154#43216: no more recursive clients: quota reached
Sep 5 00:06:37 hosted named[1479]: client 81.2.194.154#65036: no more recursive clients: quota reached
Sep 5 00:06:40 hosted named[1479]: client 81.2.194.154#37833: no more recursive clients: quota reached
Sep 5 00:06:42 hosted named[1479]: unexpected RCODE (REFUSED) resolving 'qha.cc/ANY/IN': 217.70.177.40#53
Sep 4 23:43:13 hosted named[1479]: unexpected RCODE (REFUSED) resolving 'qha.cc/A/IN': 217.70.177.40#53
Sep 4 23:43:19 hosted named[1479]: client 98.158.196.55#35771: no more recursive clients: quota reached
Sep 4 23:43:22 hosted named[1479]: client 98.158.196.55#16456: no more recursive clients: quota reached
Sep 4 23:43:24 hosted named[1479]: client 98.158.196.55#39362: no more recursive clients: quota reached
Sep 4 23:43:24 hosted named[1479]: client 98.158.196.55#27322: no more recursive clients: quota reached
Sep 4 23:43:25 hosted named[1479]: client 98.158.196.55#27339: no more recursive clients: quota reached
Sep 4 23:43:27 hosted named[1479]: client 98.158.196.55#26218: no more recursive clients: quota reached
Sep 4 23:43:27 hosted named[1479]: client 98.158.196.55#36512: no more recursive clients: quota reached
Sep 4 23:43:28 hosted named[1479]: client 98.158.196.55#48973: no more recursive clients: quota reached
Sep 4 23:43:29 hosted named[1479]: client 98.158.196.55#36542: no more recursive clients: quota reached
Sep 4 23:43:30 hosted named[1479]: client 98.158.196.55#33303: no more recursive clients: quota reached
 
I am online, no nullroute as ddos was to domain i changed nameserver ip to point to false ip not my original vps ip, so now its good, so whats about block port 53 ?
 
Oke so whats now ??

How can i block whole anonsc.com thing ??

12:20:04.077654 IP 70.42.74.6.34892 > SERVER_IP.domain: 50032+ [1au] ANY? anonsc.com. (39)
12:20:04.077974 IP 98.247.26.97.26435 > SERVER_IP.domain: 27690+ [1au] ANY? anonsc.com. (39)
12:20:04.130103 IP 24.0.197.47.11858 > SERVER_IP.domain: 34704+ [1au] ANY? anonsc.com. (39)
12:20:04.132698 IP 70.42.74.6.54053 > SERVER_IP.domain: 7152+ [1au] ANY? anonsc.com. (39)
12:20:04.147091 IP 70.42.74.6.28713 > SERVER_IP.domain: 34470+ [1au] ANY? anonsc.com. (39)
12:20:04.179792 IP 24.0.197.47.61909 > SERVER_IP.domain: 1426+ [1au] ANY? anonsc.com. (39)
12:20:04.290341 IP 70.42.74.6.65385 > SERVER_IP.domain: 24818+ [1au] ANY? anonsc.com. (39)
12:20:04.291292 IP 70.42.74.6.34608 > SERVER_IP.domain: 15632+ [1au] ANY? anonsc.com. (39)
12:20:04.298682 IP 70.42.74.6.5760 > SERVER_IP.domain: 60184+ [1au] ANY? anonsc.com. (39)
12:20:04.307632 IP 98.247.26.97.8101 > SERVER_IP.domain: 30734+ [1au] ANY? anonsc.com. (39)
12:20:04.342588 IP 98.247.26.97.9743 > SERVER_IP.domain: 45290+ [1au] ANY? anonsc.com. (39)
12:20:04.480128 IP 98.247.26.97.44544 > SERVER_IP.domain: 44396+ [1au] ANY? anonsc.com. (39)
12:20:04.717342 IP 24.0.197.47.46291 > SERVER_IP.domain: 42316+ [1au] ANY? anonsc.com. (39)
12:20:04.723512 IP 24.0.197.47.50114 > SERVER_IP.domain: 63588+ [1au] ANY? anonsc.com. (39)
12:20:04.768361 IP 70.42.74.6.12584 > SERVER_IP.domain: 2786+ [1au] ANY? anonsc.com. (39)
12:20:04.771870 IP 70.42.74.6.56370 > SERVER_IP.domain: 53752+ [1au] ANY? anonsc.com. (39)
12:20:04.772143 IP 70.42.74.6.8933 > SERVER_IP.domain: 59158+ [1au] ANY? anonsc.com. (39)
12:20:04.828781 IP 98.247.26.97.22758 > SERVER_IP.domain: 42422+ [1au] ANY? anonsc.com. (39)
12:20:04.882267 IP 24.0.197.47.47484 > SERVER_IP.domain: 32712+ [1au] ANY? anonsc.com. (39)
12:20:04.999185 IP 70.42.74.6.64324 > SERVER_IP.domain: 15406+ [1au] ANY? anonsc.com. (39)
12:20:05.078169 IP 70.42.74.6.63323 > SERVER_IP.domain: 21464+ [1au] ANY? anonsc.com. (39)
12:20:05.240673 IP 98.247.26.97.43817 > SERVER_IP.domain: 41582+ [1au] ANY? anonsc.com. (39)
12:20:05.318407 IP 70.42.74.6.38759 > SERVER_IP.domain: 53372+ [1au] ANY? anonsc.com. (39)
12:20:05.318710 IP 70.42.74.6.18556 > SERVER_IP.domain: 32558+ [1au] ANY? anonsc.com. (39)
12:20:05.767678 IP 70.42.74.6.56097 > SERVER_IP.domain: 35026+ [1au] ANY? anonsc.com. (39)
12:20:05.767825 IP 70.42.74.6.22977 > SERVER_IP.domain: 62040+ [1au] ANY? anonsc.com. (39)
12:20:05.768079 IP 70.42.74.6.61877 > SERVER_IP.domain: 20846+ [1au] ANY? anonsc.com. (39)
12:20:05.920332 IP 70.42.74.6.40384 > SERVER_IP.domain: 46418+ [1au] ANY? anonsc.com. (39)
12:20:05.977361 IP 70.42.74.6.7259 > SERVER_IP.domain: 57550+ [1au] ANY? anonsc.com. (39)
12:20:05.977655 IP 70.42.74.6.39132 > SERVER_IP.domain: 26738+ [1au] ANY? anonsc.com. (39)
12:20:05.978117 IP 70.42.74.6.44650 > SERVER_IP.domain: 62442+ [1au] ANY? anonsc.com. (39)
12:20:05.980383 IP 70.42.74.6.28070 > SERVER_IP.domain: 48428+ [1au] ANY? anonsc.com. (39)
12:20:06.042466 IP 70.42.74.6.7407 > SERVER_IP.domain: 40030+ [1au] ANY? anonsc.com. (39)
12:20:06.042885 IP 70.42.74.6.28819 > SERVER_IP.domain: 60778+ [1au] ANY? anonsc.com. (39)
12:20:06.043542 IP 70.42.74.6.travsoft-ipx-t > SERVER_IP.domain: 59726+ [1au] ANY? anonsc.com. (39)
12:20:06.047155 IP 70.42.74.6.37987 > SERVER_IP.domain: 33874+ [1au] ANY? anonsc.com. (39)
 
Okay so finally we found a way to beat them, sh*t ddosers (For us it was 2 days hard fight!).

Also installed some firewalls ...

if you will have those problems just do this (our little 2 line code):

tcpdump -n udp dst port 53|grep ANY > ddos.log

cat ddos.log|awk {'print $3'}|cut -d: -f 1|cut -d. -f -4|sort|uniq -c|sort -nk 1

For us it was (those ips hardly loaded dns stuff on port 53, probably flood, ddos etc):
347 109.131.217.16
690 98.247.26.97
696 98.102.13.82
709 217.23.11.166
714 178.18.84.225
 
You were being hit by ion cannon/slowloris... All you needed to do was get the apache module for slowloris or nginx.

Oke so whats now ??

How can i block whole anonsc.com thing ??

12:20:04.077654 IP 70.42.74.6.34892 > SERVER_IP.domain: 50032+ [1au] ANY? anonsc.com. (39)
12:20:04.077974 IP 98.247.26.97.26435 > SERVER_IP.domain: 27690+ [1au] ANY? anonsc.com. (39)
12:20:04.130103 IP 24.0.197.47.11858 > SERVER_IP.domain: 34704+ [1au] ANY? anonsc.com. (39)
12:20:04.132698 IP 70.42.74.6.54053 > SERVER_IP.domain: 7152+ [1au] ANY? anonsc.com. (39)
12:20:04.147091 IP 70.42.74.6.28713 > SERVER_IP.domain: 34470+ [1au] ANY? anonsc.com. (39)
12:20:04.179792 IP 24.0.197.47.61909 > SERVER_IP.domain: 1426+ [1au] ANY? anonsc.com. (39)
12:20:04.290341 IP 70.42.74.6.65385 > SERVER_IP.domain: 24818+ [1au] ANY? anonsc.com. (39)
12:20:04.291292 IP 70.42.74.6.34608 > SERVER_IP.domain: 15632+ [1au] ANY? anonsc.com. (39)
12:20:04.298682 IP 70.42.74.6.5760 > SERVER_IP.domain: 60184+ [1au] ANY? anonsc.com. (39)
12:20:04.307632 IP 98.247.26.97.8101 > SERVER_IP.domain: 30734+ [1au] ANY? anonsc.com. (39)
12:20:04.342588 IP 98.247.26.97.9743 > SERVER_IP.domain: 45290+ [1au] ANY? anonsc.com. (39)
12:20:04.480128 IP 98.247.26.97.44544 > SERVER_IP.domain: 44396+ [1au] ANY? anonsc.com. (39)
12:20:04.717342 IP 24.0.197.47.46291 > SERVER_IP.domain: 42316+ [1au] ANY? anonsc.com. (39)
12:20:04.723512 IP 24.0.197.47.50114 > SERVER_IP.domain: 63588+ [1au] ANY? anonsc.com. (39)
12:20:04.768361 IP 70.42.74.6.12584 > SERVER_IP.domain: 2786+ [1au] ANY? anonsc.com. (39)
12:20:04.771870 IP 70.42.74.6.56370 > SERVER_IP.domain: 53752+ [1au] ANY? anonsc.com. (39)
12:20:04.772143 IP 70.42.74.6.8933 > SERVER_IP.domain: 59158+ [1au] ANY? anonsc.com. (39)
12:20:04.828781 IP 98.247.26.97.22758 > SERVER_IP.domain: 42422+ [1au] ANY? anonsc.com. (39)
12:20:04.882267 IP 24.0.197.47.47484 > SERVER_IP.domain: 32712+ [1au] ANY? anonsc.com. (39)
12:20:04.999185 IP 70.42.74.6.64324 > SERVER_IP.domain: 15406+ [1au] ANY? anonsc.com. (39)
12:20:05.078169 IP 70.42.74.6.63323 > SERVER_IP.domain: 21464+ [1au] ANY? anonsc.com. (39)
12:20:05.240673 IP 98.247.26.97.43817 > SERVER_IP.domain: 41582+ [1au] ANY? anonsc.com. (39)
12:20:05.318407 IP 70.42.74.6.38759 > SERVER_IP.domain: 53372+ [1au] ANY? anonsc.com. (39)
12:20:05.318710 IP 70.42.74.6.18556 > SERVER_IP.domain: 32558+ [1au] ANY? anonsc.com. (39)
12:20:05.767678 IP 70.42.74.6.56097 > SERVER_IP.domain: 35026+ [1au] ANY? anonsc.com. (39)
12:20:05.767825 IP 70.42.74.6.22977 > SERVER_IP.domain: 62040+ [1au] ANY? anonsc.com. (39)
12:20:05.768079 IP 70.42.74.6.61877 > SERVER_IP.domain: 20846+ [1au] ANY? anonsc.com. (39)
12:20:05.920332 IP 70.42.74.6.40384 > SERVER_IP.domain: 46418+ [1au] ANY? anonsc.com. (39)
12:20:05.977361 IP 70.42.74.6.7259 > SERVER_IP.domain: 57550+ [1au] ANY? anonsc.com. (39)
12:20:05.977655 IP 70.42.74.6.39132 > SERVER_IP.domain: 26738+ [1au] ANY? anonsc.com. (39)
12:20:05.978117 IP 70.42.74.6.44650 > SERVER_IP.domain: 62442+ [1au] ANY? anonsc.com. (39)
12:20:05.980383 IP 70.42.74.6.28070 > SERVER_IP.domain: 48428+ [1au] ANY? anonsc.com. (39)
12:20:06.042466 IP 70.42.74.6.7407 > SERVER_IP.domain: 40030+ [1au] ANY? anonsc.com. (39)
12:20:06.042885 IP 70.42.74.6.28819 > SERVER_IP.domain: 60778+ [1au] ANY? anonsc.com. (39)
12:20:06.043542 IP 70.42.74.6.travsoft-ipx-t > SERVER_IP.domain: 59726+ [1au] ANY? anonsc.com. (39)
12:20:06.047155 IP 70.42.74.6.37987 > SERVER_IP.domain: 33874+ [1au] ANY? anonsc.com. (39)
 
@mizaco yes iptables "firewall based rules" to accept only localhost for IN/OUT, deny all other

@Loonycgb2 are u sure this was ion cannon/slowloris ? It was attack on port 53, and it was due i have installed BIND (named) that listen on port 53 which was open like billions of other server does have, once the attacker find your server port 53 opens, he can use it to make DDoS, you will be part of one HUGE DDoS to other site - refer to DNS Amplified DDoS Attack

Seems like after one week if you keep port closed to public, you stop being part of the DDoS game and they leave your IP as they cant more use :)
 
Install CSF and make a rules for your ip connection , add your ip to white list , also you can detect any ddos connection and blocked all with CSF .
 
It indeed looks like your DNS was used as a "zombie" to generate a DNS amplification attack. Rather than using IPTables to block access to port 53 from external IPs, you should just configure your bind9 server correctly to allow recursion from localhost only, see: HOWTO Prevent an Open DNS Also, if you don't use your own name servers, you could as well disable bind9 all together.
 
Status
Not open for further replies.
Back
Top