Solved

dos attack  please help

Posted on 2013-10-29
8
277 Views
Last Modified: 2013-12-05
hello

I have have a dos attack on one of my site I think it is not difficult to stop this ddos attack kind
but really I don't know how to do that
I have attached the domlogs for that dos attack trace
I hope you help me to resolve this problem ?
please don't tell me to just block that Ip because he can attack me from an other IP
thank you
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:56 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"

Open in new window

0
Comment
Question by:xserverx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:savone
ID: 39609816
You HAVE to block the IP and YES, he/she can attack you from another IP, then block that one.

Also, the logs do not show a ddos attack since the first d stands for distributed.  

Block the IP and see what happens....

iptables -I INPUT -p tcp -s 105.157.21.4 -j DROP

Good luck.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39609824
This looks more like a port scan.
0
 

Author Comment

by:xserverx
ID: 39609866
yes I have blocked that Ip and everything ok
how to stop this kind of dos attack ?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 23

Expert Comment

by:savone
ID: 39610021
You stop it by blocking the IP address.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 39610803
For blocking threats for your webserver, you can use IPTABLE rules within your web service environment. But there is no specific recommendation to use IPTABLES for reported problem. I'd also like to add that for network level attacks like SYN flood, UDP flood, ICMP flood and SMURF attacks, having googd firewall is extremely important.

You can also configure more restrictive access on the server itself by having deploying tools like PSAD and fwsnort with firewall policy generated by APF. I'd advice to not to enable auto-respond in psad and fwsnort while you are starting with them on production server. It would be nice to monitor and understand how each of these component works and what all can be blocked by them.

Advanced Policy Firewall : http://www.rfxn.com/projects/advanced-policy-firewall/
PSAD : http://cipherdyne.org/psad/
fwsnort : http://cipherdyne.org/fwsnort/

There is no guaranteed solution of DDOS/DOS as different kind of attacks are evolving all the time. So it is essential to collect logs of various services on server and analyse them carefully at periodic time.

Check http://hakin9.org/is-ddos-still-a-threat/
I think it's wise to look at dedicated appliances such as cisco, fortinet or juniper which are made to detect and defend. Try with http://www.fortinet.com/products/fortiddos/index.html
0
 

Author Comment

by:xserverx
ID: 39613377
Thank you for your reply

I hope you just understand my problem

this attacker trying to open the index page 2 time per second this make the server high load and reach MaxClient
I don't know if there is a solution that can limit accessing to the same page per second per ip ?
I just need solution look like that

thank you
0
 
LVL 23

Assisted Solution

by:savone
savone earned 167 total points
ID: 39613696
You might want to take a look at this software:

http://www.fail2ban.org/wiki/index.php/Main_Page

You can set a limit and if someone goes over that limit you can ban them with iptables automatically.
0
 
LVL 25

Accepted Solution

by:
madunix earned 333 total points
ID: 39615189
As said Fail2Ban is typically used for blocking users that are doing bad things (eg: brute-forcing, trying to relay through mail server, etc).  It does this by watching log files that admin specify, and keeping track of how many times an IP shows up with a specific error message.  Once that becomes too many, it creates an IP-tables rule (or performs some other blocking action).  Then (optionally) removes the block after a period of time.  

For iptables,  you could implement the following IPTAPLES to limit the IP connection
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
 # Max connections per IP
BLOCKCOUNT=10
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# .... # ..

The above would block all connections once it receives 10 connections within 100 seconds.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question