?
Solved

dos attack  please help

Posted on 2013-10-29
8
Medium Priority
?
279 Views
Last Modified: 2013-12-05
hello

I have have a dos attack on one of my site I think it is not difficult to stop this ddos attack kind
but really I don't know how to do that
I have attached the domlogs for that dos attack trace
I hope you help me to resolve this problem ?
please don't tell me to just block that Ip because he can attack me from an other IP
thank you
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:49 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:50 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:51 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:55 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102452 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102448 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:53 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:52 +0000] "GET / HTTP/1.0" 200 102460 "-" "Mozilla Firefox 2"
105.157.21.4 - - [29/Oct/2013:17:42:56 +0000] "GET / HTTP/1.0" 200 102456 "-" "Mozilla Firefox 2"

Open in new window

0
Comment
Question by:xserverx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:savone
ID: 39609816
You HAVE to block the IP and YES, he/she can attack you from another IP, then block that one.

Also, the logs do not show a ddos attack since the first d stands for distributed.  

Block the IP and see what happens....

iptables -I INPUT -p tcp -s 105.157.21.4 -j DROP

Good luck.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39609824
This looks more like a port scan.
0
 

Author Comment

by:xserverx
ID: 39609866
yes I have blocked that Ip and everything ok
how to stop this kind of dos attack ?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 23

Expert Comment

by:savone
ID: 39610021
You stop it by blocking the IP address.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 1332 total points
ID: 39610803
For blocking threats for your webserver, you can use IPTABLE rules within your web service environment. But there is no specific recommendation to use IPTABLES for reported problem. I'd also like to add that for network level attacks like SYN flood, UDP flood, ICMP flood and SMURF attacks, having googd firewall is extremely important.

You can also configure more restrictive access on the server itself by having deploying tools like PSAD and fwsnort with firewall policy generated by APF. I'd advice to not to enable auto-respond in psad and fwsnort while you are starting with them on production server. It would be nice to monitor and understand how each of these component works and what all can be blocked by them.

Advanced Policy Firewall : http://www.rfxn.com/projects/advanced-policy-firewall/
PSAD : http://cipherdyne.org/psad/
fwsnort : http://cipherdyne.org/fwsnort/

There is no guaranteed solution of DDOS/DOS as different kind of attacks are evolving all the time. So it is essential to collect logs of various services on server and analyse them carefully at periodic time.

Check http://hakin9.org/is-ddos-still-a-threat/
I think it's wise to look at dedicated appliances such as cisco, fortinet or juniper which are made to detect and defend. Try with http://www.fortinet.com/products/fortiddos/index.html
0
 

Author Comment

by:xserverx
ID: 39613377
Thank you for your reply

I hope you just understand my problem

this attacker trying to open the index page 2 time per second this make the server high load and reach MaxClient
I don't know if there is a solution that can limit accessing to the same page per second per ip ?
I just need solution look like that

thank you
0
 
LVL 23

Assisted Solution

by:savone
savone earned 668 total points
ID: 39613696
You might want to take a look at this software:

http://www.fail2ban.org/wiki/index.php/Main_Page

You can set a limit and if someone goes over that limit you can ban them with iptables automatically.
0
 
LVL 25

Accepted Solution

by:
madunix earned 1332 total points
ID: 39615189
As said Fail2Ban is typically used for blocking users that are doing bad things (eg: brute-forcing, trying to relay through mail server, etc).  It does this by watching log files that admin specify, and keeping track of how many times an IP shows up with a specific error message.  Once that becomes too many, it creates an IP-tables rule (or performs some other blocking action).  Then (optionally) removes the block after a period of time.  

For iptables,  you could implement the following IPTAPLES to limit the IP connection
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
 # Max connections per IP
BLOCKCOUNT=10
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# .... # ..

The above would block all connections once it receives 10 connections within 100 seconds.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question