Help for botnet

we are getting 1000+ get requests like the given below should some body help me how should i block this flood


23:56:48.668164 IP evop26.areserver.net.38393 > 43.101.123.37.salay.com.tr.http: Flags [P.], seq 55371944:55371960, ack 3114960990, win 115, options [nop,nop,TS val 3730753604 ecr 74433803], length 16
EH.DS.@.&.......%{e+...P.L.....^...sI......
.^.D.o..GET / HTTP/1.0

23:56:48.671637 IP bhl-1.bilintel.com.39165 > 43.101.123.37.salay.com.tr.http: Flags [P.], seq 0:16, ack 1, win 115, options [nop,nop,TS val 523522517 ecr 74433234], length 16
E..DR.@.8....T.Z%{e+...PP..ov.q7...s.V.....
.4Q..o..GET / HTTP/1.0

23:56:48.672706 IP bhl-1.bilintel.com.39164 > 43.101.123.37.salay.com.tr.http: Flags [P.], seq 0:16, ack 1, win 115, options [nop,nop,TS val 523522517 ecr 74433234], length 16
E..D*.@.8....T.Z%{e+...P..`"..a....s.......
.4Q..o..GET / HTTP/1.0

23:56:48.684112 IP 5.46.8.17.30782 > 43.101.123.37.salay.com.tr.http: Flags [P.], seq 4022608471:4022608941, ack 2434570519, win 1460, options [nop,nop,TS val 193209 ecr 74405043], length 470




2.900734707 62.81.159.98 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.904401218 216.144.254.162 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.904854808  81.17.231.6 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.904882170 88.198.33.206 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.907318038 89.143.11.210 -> 37.123.101.43 HTTP 104 GET / HTTP/1.0
2.908602175 82.137.166.90 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.910117354 90.181.244.5 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.910156455 85.97.147.87 -> 37.123.101.42 HTTP 577 [TCP Retransmission] GET /enistem-once-surtundu.html HTTP/1.1
2.913223407 66.7.202.121 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.916502935 154.58.201.81 -> 37.123.101.43 HTTP 104 GET / HTTP/1.0
2.918598688 176.74.17.190 -> 37.123.101.43 HTTP 157 GET / HTTP/1.1
2.918940122 81.23.116.102 -> 37.123.101.43 HTTP 108 GET / HTTP/1.0
2.919790419 200.68.105.192 -> 37.123.101.43 HTTP 104 GET / HTTP/1.0
2.920984231 154.58.201.81 -> 37.123.101.43 HTTP 104 GET / HTTP/1.0
2.923031165 185.12.108.139 -> 37.123.101.43 HTTP 157 GET / HTTP/1.1
2.925115341 185.12.108.139 -> 37.123.101.43 HTTP 157 [TCP Retransmission] GET / HTTP/1.1
2.927225545 212.48.68.101 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.927570467 146.247.24.105 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.928376978 62.81.159.98 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.929605266 88.230.67.189 -> 37.123.101.43 HTTP 736 GET /wp-content/uploads/2015/10/Kocam%C4%B1n-Yak%C4%B1%C5%9F%C4%B1kl%C4%B1-Ye%C4%9Fenine-Verdim-298x248.jpg HTTP/1.1
2.929704659 27.254.34.189 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.931652755 173.45.173.135 -> 37.123.101.43 HTTP 157 [TCP Retransmission] GET / HTTP/1.1
2.932914229 216.245.194.155 -> 37.123.101.43 HTTP 104 GET / HTTP/1.0
2.934142988 159.100.136.40 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.934548229 198.154.224.44 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.935010444 216.162.192.80 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.935359605 198.154.224.44 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.937025319  81.17.231.6 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.937040057 138.100.58.5 -> 37.123.101.43 HTTP 164 [TCP Retransmission] GET / HTTP/1.1
2.937145719 83.137.149.100 -> 37.123.101.43 HTTP 176 [TCP Retransmission] GET / HTTP/1.1
2.937473374 173.193.160.26 -> 37.123.101.43 HTTP 157 GET / HTTP/1.1
2.937962050 78.47.207.170 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.938689125 217.66.166.64 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.939027311 159.100.136.40 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.940255315 176.9.106.50 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1
2.942829136 166.63.124.166 -> 37.123.101.43 HTTP 176 GET / HTTP/1.1​

Open in new window

FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
This is a standard syn flood.  You should have an appliance in between the internet and this box and it should be doing rate control and syn flood detection.  You can work with your ISP, but all they can probably do is block the port or block the IP range.  Botnets are good at shifting subnets and creating ways around ACLs.  

The true answer is you HAVE to get a firewall between the internet and your webserver and make sure it has standard DDOS mitigation and synflood detection.

You may check ebay if your budget is tight, for a used/expired subscription appliance.  A watchguard or sonicwall will suffice for such attacks and should be reasonably affordable on the used market.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
Dear choward we have a perfect mitigation system for SYN proxy
we use Citrix Netscaler & SRX 3600 to clean up syn spoofed traffic.
But the main problem is that traffic is coming from real ip addresses not from a spoofed source
so Citrix is accepting
syn - ack - syn handshake

and netscaler is ok with the syn limits. if we put a threshold for syn limit after citrix on srx then real connections also dropping by the srx
FireBallITAuthor Commented:
It is about 5Mbps and DDOS mitigators does not clean up this traffic.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Chris HInfrastructure ManagerCommented:
If you can't find a commonality to throttle/filter without picking off good traffic, you're going to have to block the botnet clients manually and\or by using IP profiling methods that check known blacklists.
Chris HInfrastructure ManagerCommented:
https://www.incapsula.com/

I know these guys have been making a lot of noise in this market.  You may check out one of their products.  I know they have a solution for reverse lookups on inbound IP traffic.

https://www.incapsula.com/ddos/attack-glossary/http-flood.html
FireBallITAuthor Commented:
we are using atomicorp asl it is a module of owas updated rules of mod_security

but i think it does not enough

incapsula is not fit to us because it works like cloud flare . We need to find a general solution because we have 270K + hostings on 500+ servers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTTP Protocol

From novice to tech pro — start learning today.