Solved

dos attack  please help

Posted on 2013-10-29
8
270 Views
Last Modified: 2013-12-05
hello

I have have a dos attack on one of my site I think it is not difficult to stop this ddos attack kind
but really I don't know how to do that
I have attached the domlogs for that dos attack trace
I hope you help me to resolve this problem ?
please don't tell me to just block that Ip because he can attack me from an other IP
thank you
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:56 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"

Open in new window

0
Comment
Question by:xserverx
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:savone
Comment Utility
You HAVE to block the IP and YES, he/she can attack you from another IP, then block that one.

Also, the logs do not show a ddos attack since the first d stands for distributed.  

Block the IP and see what happens....

iptables -I INPUT -p tcp -s 105.157.21.4 -j DROP

Good luck.
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
This looks more like a port scan.
0
 

Author Comment

by:xserverx
Comment Utility
yes I have blocked that Ip and everything ok
how to stop this kind of dos attack ?
0
 
LVL 23

Expert Comment

by:savone
Comment Utility
You stop it by blocking the IP address.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
Comment Utility
For blocking threats for your webserver, you can use IPTABLE rules within your web service environment. But there is no specific recommendation to use IPTABLES for reported problem. I'd also like to add that for network level attacks like SYN flood, UDP flood, ICMP flood and SMURF attacks, having googd firewall is extremely important.

You can also configure more restrictive access on the server itself by having deploying tools like PSAD and fwsnort with firewall policy generated by APF. I'd advice to not to enable auto-respond in psad and fwsnort while you are starting with them on production server. It would be nice to monitor and understand how each of these component works and what all can be blocked by them.

Advanced Policy Firewall : http://www.rfxn.com/projects/advanced-policy-firewall/
PSAD : http://cipherdyne.org/psad/
fwsnort : http://cipherdyne.org/fwsnort/

There is no guaranteed solution of DDOS/DOS as different kind of attacks are evolving all the time. So it is essential to collect logs of various services on server and analyse them carefully at periodic time.

Check http://hakin9.org/is-ddos-still-a-threat/
I think it's wise to look at dedicated appliances such as cisco, fortinet or juniper which are made to detect and defend. Try with http://www.fortinet.com/products/fortiddos/index.html
0
 

Author Comment

by:xserverx
Comment Utility
Thank you for your reply

I hope you just understand my problem

this attacker trying to open the index page 2 time per second this make the server high load and reach MaxClient
I don't know if there is a solution that can limit accessing to the same page per second per ip ?
I just need solution look like that

thank you
0
 
LVL 23

Assisted Solution

by:savone
savone earned 167 total points
Comment Utility
You might want to take a look at this software:

http://www.fail2ban.org/wiki/index.php/Main_Page

You can set a limit and if someone goes over that limit you can ban them with iptables automatically.
0
 
LVL 25

Accepted Solution

by:
madunix earned 333 total points
Comment Utility
As said Fail2Ban is typically used for blocking users that are doing bad things (eg: brute-forcing, trying to relay through mail server, etc).  It does this by watching log files that admin specify, and keeping track of how many times an IP shows up with a specific error message.  Once that becomes too many, it creates an IP-tables rule (or performs some other blocking action).  Then (optionally) removes the block after a period of time.  

For iptables,  you could implement the following IPTAPLES to limit the IP connection
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
 # Max connections per IP
BLOCKCOUNT=10
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# .... # ..

The above would block all connections once it receives 10 connections within 100 seconds.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now