All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need Help - DDoS attack
I manage the web server for a popular website, and for the past few hours, it's been under a DDoS attack. No one can access the site.
I checked Apache's log and seen this:
49.132.228.84 - - [28/Jul/2012:05:35:10 +0200] "POST / HTTP/1.0" 301 605 "6iiby75pl52.net" "Mozilla/4.0 (compatible; ibisBrowser)"
189.154.50.212 - - [28/Jul/2012:05:35:06 +0200] "POST / HTTP/1.0" 301 568 "51mso8n5956.ru" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801"
112.197.191.15 - - [28/Jul/2012:05:35:15 +0200] "POST / HTTP/1.0" 301 605 "9ak99or.biz" "Mozilla/4.5 [en]C-CCK-MCD {RuralNet} (Win98; I)"
121.115.89.29 - - [28/Jul/2012:05:36:07 +0200] "POST / HTTP/1.0" 301 605 "0h37660oa6d8j.info" "Mozilla/3.0 (compatible; NetPositive/2.2)"
112.197.191.15 - - [28/Jul/2012:05:35:23 +0200] "POST / HTTP/1.0" 301 605 "8gf42cq.biz" "Mozilla/5.0 (compatible; ShunixBot/1.x; http://www.ym404mwxc8.com/bot.htm)"
14.48.37.99 - - [28/Jul/2012:05:36:08 +0200] "POST / HTTP/1.0" 301 605 "2yeuk54c2.com" "Mozilla/5.0 (compatible; Bot; +http://yc5pn9i83c29c.ws/spamfilter"
222.15.162.47 - - [28/Jul/2012:05:35:05 +0200] "POST / HTTP/1.0" 301 605 "zy77145851l.biz" "Mozilla/5.0 (compatible; BecomeJPBot/2.3; MSIE 6.0 compatible; +http://www.iux9ze6.jp/wh2q80.html)"
I've tried blocking the I.P addresses, but that's no use. I've blocked over 300 addresses manually and the attacks just keep coming. Any ideas on how to prevent this type of attack?
Comments
I'm guessing it's more than just a web server attack.
CSF
DDoS-Deflate is supposed to work
Thanks guys, but none of those seem to work for this type of attack.
Any other ideas?
If it is Apache based, block port 80, contact litespeed and something that have worked for me most of the time was nginx reverse proxy from a different server. If it is a syn flood, you will need professional ddi
Nope. It's a website for an open-source program.
What exactly do I need to change in my Apache configuration?
@Zen my bad, didn't look at those log.
@Steve, if you can, drop Apache altogether and either use litespeed or nginx. If can not, assuming you server has enough ram, get varnish cache, increase timeout time, keep alive time and try to route Apache through different port. And get nginx proxy up and filter those bad traffic.
Nginx reverse proxy? I have no idea what I just wrote
Or lighttpd.
Mod_evasive works wonders for some types of Apache attacks, and Varnish usually helps with most other types.