?
Solved

dos attack  please help

Posted on 2013-10-29
8
Medium Priority
?
282 Views
Last Modified: 2013-12-05
hello

I have have a dos attack on one of my site I think it is not difficult to stop this ddos attack kind
but really I don't know how to do that
I have attached the domlogs for that dos attack trace
I hope you help me to resolve this problem ?
please don't tell me to just block that Ip because he can attack me from an other IP
thank you
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:56 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"

Open in new window

0
Comment
Question by:xserverx
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:savone
ID: 39609816
You HAVE to block the IP and YES, he/she can attack you from another IP, then block that one.

Also, the logs do not show a ddos attack since the first d stands for distributed.  

Block the IP and see what happens....

iptables -I INPUT -p tcp -s 105.157.21.4 -j DROP

Good luck.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39609824
This looks more like a port scan.
0
 

Author Comment

by:xserverx
ID: 39609866
yes I have blocked that Ip and everything ok
how to stop this kind of dos attack ?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 23

Expert Comment

by:savone
ID: 39610021
You stop it by blocking the IP address.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 1332 total points
ID: 39610803
For blocking threats for your webserver, you can use IPTABLE rules within your web service environment. But there is no specific recommendation to use IPTABLES for reported problem. I'd also like to add that for network level attacks like SYN flood, UDP flood, ICMP flood and SMURF attacks, having googd firewall is extremely important.

You can also configure more restrictive access on the server itself by having deploying tools like PSAD and fwsnort with firewall policy generated by APF. I'd advice to not to enable auto-respond in psad and fwsnort while you are starting with them on production server. It would be nice to monitor and understand how each of these component works and what all can be blocked by them.

Advanced Policy Firewall : http://www.rfxn.com/projects/advanced-policy-firewall/
PSAD : http://cipherdyne.org/psad/
fwsnort : http://cipherdyne.org/fwsnort/

There is no guaranteed solution of DDOS/DOS as different kind of attacks are evolving all the time. So it is essential to collect logs of various services on server and analyse them carefully at periodic time.

Check http://hakin9.org/is-ddos-still-a-threat/
I think it's wise to look at dedicated appliances such as cisco, fortinet or juniper which are made to detect and defend. Try with http://www.fortinet.com/products/fortiddos/index.html
0
 

Author Comment

by:xserverx
ID: 39613377
Thank you for your reply

I hope you just understand my problem

this attacker trying to open the index page 2 time per second this make the server high load and reach MaxClient
I don't know if there is a solution that can limit accessing to the same page per second per ip ?
I just need solution look like that

thank you
0
 
LVL 23

Assisted Solution

by:savone
savone earned 668 total points
ID: 39613696
You might want to take a look at this software:

http://www.fail2ban.org/wiki/index.php/Main_Page

You can set a limit and if someone goes over that limit you can ban them with iptables automatically.
0
 
LVL 25

Accepted Solution

by:
madunix earned 1332 total points
ID: 39615189
As said Fail2Ban is typically used for blocking users that are doing bad things (eg: brute-forcing, trying to relay through mail server, etc).  It does this by watching log files that admin specify, and keeping track of how many times an IP shows up with a specific error message.  Once that becomes too many, it creates an IP-tables rule (or performs some other blocking action).  Then (optionally) removes the block after a period of time.  

For iptables,  you could implement the following IPTAPLES to limit the IP connection
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
 # Max connections per IP
BLOCKCOUNT=10
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# .... # ..

The above would block all connections once it receives 10 connections within 100 seconds.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question