Help for botnet

we are getting 1000+ get requests like the given below should some body help me how should i block this flood

23:56:48.668164 IP > Flags [P.], seq 55371944:55371960, ack 3114960990, win 115, options [nop,nop,TS val 3730753604 ecr 74433803], length 16
.^.D.o..GET / HTTP/1.0

23:56:48.671637 IP > Flags [P.], seq 0:16, ack 1, win 115, options [nop,nop,TS val 523522517 ecr 74433234], length 16
.4Q..o..GET / HTTP/1.0

23:56:48.672706 IP > Flags [P.], seq 0:16, ack 1, win 115, options [nop,nop,TS val 523522517 ecr 74433234], length 16
.4Q..o..GET / HTTP/1.0

23:56:48.684112 IP > Flags [P.], seq 4022608471:4022608941, ack 2434570519, win 1460, options [nop,nop,TS val 193209 ecr 74405043], length 470

2.900734707 -> HTTP 176 GET / HTTP/1.1
2.904401218 -> HTTP 176 GET / HTTP/1.1
2.904854808 -> HTTP 176 GET / HTTP/1.1
2.904882170 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.907318038 -> HTTP 104 GET / HTTP/1.0
2.908602175 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.910117354 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.910156455 -> HTTP 577 [TCP Retransmission] GET /enistem-once-surtundu.html HTTP/1.1
2.913223407 -> HTTP 176 GET / HTTP/1.1
2.916502935 -> HTTP 104 GET / HTTP/1.0
2.918598688 -> HTTP 157 GET / HTTP/1.1
2.918940122 -> HTTP 108 GET / HTTP/1.0
2.919790419 -> HTTP 104 GET / HTTP/1.0
2.920984231 -> HTTP 104 GET / HTTP/1.0
2.923031165 -> HTTP 157 GET / HTTP/1.1
2.925115341 -> HTTP 157 [TCP Retransmission] GET / HTTP/1.1
2.927225545 -> HTTP 176 GET / HTTP/1.1
2.927570467 -> HTTP 176 GET / HTTP/1.1
2.928376978 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.929605266 -> HTTP 736 GET /wp-content/uploads/2015/10/Kocam%C4%B1n-Yak%C4%B1%C5%9F%C4%B1kl%C4%B1-Ye%C4%9Fenine-Verdim-298x248.jpg HTTP/1.1
2.929704659 -> HTTP 176 GET / HTTP/1.1
2.931652755 -> HTTP 157 [TCP Retransmission] GET / HTTP/1.1
2.932914229 -> HTTP 104 GET / HTTP/1.0
2.934142988 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.934548229 -> HTTP 176 GET / HTTP/1.1
2.935010444 -> HTTP 176 GET / HTTP/1.1
2.935359605 -> HTTP 176 GET / HTTP/1.1
2.937025319 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.937040057 -> HTTP 164 [TCP Retransmission] GET / HTTP/1.1
2.937145719 -> HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.937473374 -> HTTP 157 GET / HTTP/1.1
2.937962050 -> HTTP 176 GET / HTTP/1.1
2.938689125 -> HTTP 176 GET / HTTP/1.1
2.939027311 -> HTTP 176 GET / HTTP/1.1
2.940255315 -> HTTP 176 GET / HTTP/1.1
2.942829136 -> HTTP 176 GET / HTTP/1.1​

Open in new window

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
This is a standard syn flood.  You should have an appliance in between the internet and this box and it should be doing rate control and syn flood detection.  You can work with your ISP, but all they can probably do is block the port or block the IP range.  Botnets are good at shifting subnets and creating ways around ACLs.  

The true answer is you HAVE to get a firewall between the internet and your webserver and make sure it has standard DDOS mitigation and synflood detection.

You may check ebay if your budget is tight, for a used/expired subscription appliance.  A watchguard or sonicwall will suffice for such attacks and should be reasonably affordable on the used market.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
Dear choward we have a perfect mitigation system for SYN proxy
we use Citrix Netscaler & SRX 3600 to clean up syn spoofed traffic.
But the main problem is that traffic is coming from real ip addresses not from a spoofed source
so Citrix is accepting
syn - ack - syn handshake

and netscaler is ok with the syn limits. if we put a threshold for syn limit after citrix on srx then real connections also dropping by the srx
FireBallITAuthor Commented:
It is about 5Mbps and DDOS mitigators does not clean up this traffic.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Chris HInfrastructure ManagerCommented:
If you can't find a commonality to throttle/filter without picking off good traffic, you're going to have to block the botnet clients manually and\or by using IP profiling methods that check known blacklists.
Chris HInfrastructure ManagerCommented:

I know these guys have been making a lot of noise in this market.  You may check out one of their products.  I know they have a solution for reverse lookups on inbound IP traffic.
FireBallITAuthor Commented:
we are using atomicorp asl it is a module of owas updated rules of mod_security

but i think it does not enough

incapsula is not fit to us because it works like cloud flare . We need to find a general solution because we have 270K + hostings on 500+ servers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTTP Protocol

From novice to tech pro — start learning today.