My server is DDoSed by TurkTelekom

[ACiD_CORE]

When i do netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

there is tons of ips like this some of them goes to connection number of above 60!

its TurkTelekom

how to block it ?

     10 46.196.202.150
     10 78.162.150.28
     10 78.172.180.188
     10 85.105.253.111
     10 88.247.41.183
     10 88.247.45.166
     10 88.252.101.179
     11 78.189.219.197
     11 88.247.227.224
     12 88.235.132.213
     12 88.243.201.49
     13 85.100.195.146
     13 88.230.178.122
     13 88.233.63.25

 

[Ifirst]

Easy dude install CSF , its a firewall that automatically protect your server against DDos
Here is a tutorial

http://www.wjunction.com/18-server-...otally-optimise-secure-your-linux-server.html

Move to part

3.Install Firewall(I recommend CSF)

Note : In your case CSF limit should be 50
CT_LIMIT = "40"
This way anyone having more than 50 get banned
Remember than 30-40 is recommanded for most application

 

[l0calh0st]

TurkTelekom is an ISP. So don't blame them.

 

[ACiD_CORE]

installing csf will eat more memory i think.

is there any way to block whole dynamic.ttnet.com.tr
or ip range like 78.*.*.* ?

 

[Ifirst]

@l0calh0st
Someone may lease TurkTelekom servers to ddos him
Anyone can ddos from any part of the world using any isp server or bots

---------- Post added at 09:09 AM ---------- Previous post was at 09:06 AM ----------

@ACiD_CORE csf don't eat much memory
If you want you can set
CT_INTERVAL = "60"
This way CSF will check your server every 60 seconds(aka 1 min) and use less resource

 

[Cometolearn]

use cloudflare

 

[Ifirst]

Cloudflare sucks for some kind of site eespecially if you have gr8 traffic
for e.g cloudflare couldn't support lulzimg
Also there is the dns hassle and i think CSF is a better choice here (Free and efficient)

 

[ACiD_CORE]

so can i block whole dynamic.ttnet.com.tr ?via etc/hosts or ?

 

[Ifirst]

better install CSF and chill:P
its all automated

 

[ACiD_CORE]

okey i am installed, now how to check it works ?

i can not load my site since it ddosed hardly ...

 

[Ifirst]

do

service csf restart

after you install and configure it (check my tutorial)
Remember

Testing = "0"

After you done then restart your webserver
If you use apache it should be

service httpd restart

If nginx then

service nginx restart

Your site should be online then

 

[ACiD_CORE]

i did it all but it wont block nothing

i still see in netstat

     10 46.1.36.102
     10 78.161.85.244
     10 78.184.136.142
     10 88.251.78.194
     10 95.9.246.247
     11 212.253.249.60
     11 46.197.146.54
     11 78.178.172.81
     11 78.179.79.56
     11 85.99.128.204
     11 88.252.101.179
     11 95.10.41.160
     11 95.9.255.28
     13 178.233.45.249
     15 188.3.165.7
     15 78.186.164.125
     23 88.235.132.213
     27 85.105.98.41

 

[Ifirst]

What did I tell you above
CT_LIMIT = "40"
Will block any ip with more than 40 connections
You see the maximum is now 27 , It was more than 60 before

According to me your are safe now 27 connections isn't ddos

 

[ACiD_CORE]

if 200 ips from turk connect 27 times at once then whats that called ??

 

[Ifirst]

if 200 ips from turk connect 27 times at once then whats that called ??

When then its Ddos , u can block it with csf but can you just show me the different ips with 27+ connection
Then i can show you how to block that range of ip with csf

 

[ACiD_CORE]

The main problem is that some of them got only 1 con. but its from turktelekom...

it rotates every 1 sec.

  1 78.100.198.199
      1 78.164.46.204
      1 78.186.136.179
      1 84.227.225.87
      1 85.105.125.119
      1 85.107.93.85
      1 88.250.127.94
      1 94.153.227.106
      1 94.99.144.205
      1 95.14.122.186
      2 41.235.16.179
      3 1.202.86.25
      3 124.120.100.22
      6 101.210.56.81
     10 88.254.44.31
     40 24.133.73.112
     44 78.191.231.129

 

[Ifirst]

Well you can try these two commands

csf -d 78.191.231.129

and

csf -d 24.133.73.112

Refer to the tutorial below to ban ip ranges(you might use any of them , use the one that you see fits best with ip ranges)

Quick Deny Red block type in:
To deny IP Range: 12.345.678.xxx use: 12.345.678.0/16
To deny IP Range: 12.345.xxx.xxx use: 12.345.0.0/16
To deny IP Range: 12.xxx.xxx.xxx use: 12.0.0.0/16

 

[ACiD_CORE]

iptables -A INPUT -s 88.0.0.0/16 -j DROP

and it stopped

my sweet server is back and i can say fck u ddosers :D

 

[Ifirst]

Happy for you dude
Hope you appreciate the helpB-)

 

[ACiD_CORE]

I appreciate your help @Ifirst, also from others