Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is this mean I am under DDOS Attack ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is this mean I am under DDOS Attack ?

yokowasisyokowasis Member
edited July 2017 in General

I have never experienced DDOS Attack Before. Recently apache keep crashing and I need to restart it. I am activating Under Attack Mode, and the traffic drop significantly. I am sure my website doen't have 100K+ Visitor Everyday.

If it is indeed a DDOS Attack, Isn't cloudflare supposed to STOP It ? Why the attack still go trough cloudflare ?

Can Anybody Shed a light to me ?

Stupid Quick Question : Can I just slam a CPM ads on my page and get some $$$ for 100K++ Visit ?

p.s. : The Box is a Dedicated Server on my office, put on the Desk without Air Conditioner. Is that has anything to do with apache keep crashing every once in a while ?

p.p.s : I think this should go Help Forum, Perhaps @raindog308 can move this to appropriate forum ?

Comments

  • SplitIceSplitIce Member, Host Rep

    Certainly looks like it, or you are perhaps featured on reddit/slashdot or whatever.

    Thanked by 2ljseals dwtbf
  • Pff. 100K requests? That's nothing.

    If it was a DDoS attack, it certainly wasn't large by any means. By the way, is there any particular reason why you're using an unoptimized Apache configuration (taking a wild guess here)? Try using NGINX and tuning the configuration -- it handles static content better IMO.

    Thanked by 1hanoi
  • SplitIceSplitIce Member, Host Rep

    @FlamesRunner attacks can be small too. It's often the small ones that are the most annoying, they waste resources and slow things down but don't necessarily trip alarms.

  • It's not a typical DDoS attack. It might be an application specific attack, which Cloudflare may or may not be able to filter.

    Apache uses a lot of memory when facing traffic. If it keeps crashing, there's a chance you are running out of memory.

    By the way, 100k requests per day should be so easily handled by a dedicated server. One of my i3 servers has 2000k requests per day and the CPU usage keeps low.

    Thanked by 1hanoi
  • FlamesRunnerFlamesRunner Member
    edited July 2017

    @SplitIce

    True enough. I guess I've been shielded by OVH for too long :/

    @yokowasis

    Can you show us your Apache logs? We can't tell why it crashes without more information.

    Edit: Addressing your concerns about CF -- if you're using CF free, protection can sometimes be nonexistant.

  • SplitIceSplitIce Member, Host Rep

    FlamesRunner said: True enough. I guess I've been shielded by OVH for too long :/

    I think their definition of a DDoS attack is just if it was mitigated. Should it not be mitigated regardless of size, then it's not an attack. Or at-least thats my experience.

  • yokowasisyokowasis Member
    edited July 2017

    This is error_log. According to uptime robot the server is down on 9:36. But I don't find any log on that time. This is the log when I am restarting apache. I have 8Gigs of RAM and SWAP. And according to free -m it only used 3GB of RAM.

    [Sun Jul 09 12:46:12 2017] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips configured -- resuming normal operations *** glibc detected *** /usr/local/apache/bin/httpd: free(): invalid pointer: 0x00000039d9b8e178 *** ======= Backtrace: ========= /lib64/libc.so.6[0x39d9875f3e] /lib64/libc.so.6[0x39d9878d8d] /usr/local/apr/lib/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f45e206527d] /usr/local/apache/bin/httpd[0x4a93ae] /usr/local/apache/bin/httpd[0x4a9a6b] /lib64/libpthread.so.0[0x39d9c0f7e0] /lib64/ld-linux-x86-64.so.2[0x39d900e1f6] /lib64/ld-linux-x86-64.so.2[0x39d90149d5] /lib64/libpcre.so.0[0x317d201586] ======= Memory map: ======== 00400000-004e3000 r-xp 00000000 fd:00 530197 /usr/local/apache/bin/httpd 006e3000-006ea000 rw-p 000e3000 fd:00 530197 /usr/local/apache/bin/httpd 006ea000-006ef000 rw-p 00000000 00:00 0 01c14000-01dac000 rw-p 00000000 00:00 0 [heap] 3083800000-30839ba000 r-xp 00000000 fd:00 395482 /usr/lib64/libcrypto.so.1.0.1e 30839ba000-3083bb9000 ---p 001ba000 fd:00 395482 /usr/lib64/libcrypto.so.1.0.1e 3083bb9000-3083bd4000 r--p 001b9000 fd:00 395482 /usr/lib64/libcrypto.so.1.0.1e 3083bd4000-3083be0000 rw-p 001d4000 fd:00 395482 /usr/lib64/libcrypto.so.1.0.1e 3083be0000-3083be4000 rw-p 00000000 00:00 0 3083c00000-3083c62000 r-xp 00000000 fd:00 399671 /usr/lib64/libssl.so.1.0.1e 3083c62000-3083e62000 ---p 00062000 fd:00 399671 /usr/lib64/libssl.so.1.0.1e 3083e62000-3083e66000 r--p 00062000 fd:00 399671 /usr/lib64/libssl.so.1.0.1e 3083e66000-3083e6d000 rw-p 00066000 fd:00 399671 /usr/lib64/libssl.so.1.0.1e 317d200000-317d22c000 r-xp 00000000 fd:00 2889494 /lib64/libpcre.so.0.0.1 317d22c000-317d42c000 ---p 0002c000 fd:00 2889494 /lib64/libpcre.so.0.0.1 317d42c000-317d42d000 rw-p 0002c000 fd:00 2889494 /lib64/libpcre.so.0.0.1 39d9000000-39d9020000 r-xp 00000000 fd:00 2883958 /lib64/ld-2.12.so 39d921f000-39d9220000 r--p 0001f000 fd:00 2883958 /lib64/ld-2.12.so 39d9220000-39d9221000 rw-p 00020000 fd:00 2883958 /lib64/ld-2.12.so 39d9221000-39d9222000 rw-p 00000000 00:00 0 39d9400000-39d9402000 r-xp 00000000 fd:00 2884016 /lib64/libdl-2.12.so 39d9402000-39d9602000 ---p 00002000 fd:00 2884016 /lib64/libdl-2.12.so 39d9602000-39d9603000 r--p 00002000 fd:00 2884016 /lib64/libdl-2.12.so 39d9603000-39d9604000 rw-p 00003000 fd:00 2884016 /lib64/libdl-2.12.so 39d9800000-39d998a000 r-xp 00000000 fd:00 2884015 /lib64/libc-2.12.so 39d998a000-39d9b8a000 ---p 0018a000 fd:00 2884015 /lib64/libc-2.12.so 39d9b8a000-39d9b8e000 r--p 0018a000 fd:00 2884015 /lib64/libc-2.12.so 39d9b8e000-39d9b90000 rw-p 0018e000 fd:00 2884015 /lib64/libc-2.12.so 39d9b90000-39d9b94000 rw-p 00000000 00:00 0 39d9c00000-39d9c17000 r-xp 00000000 fd:00 2884017 /lib64/libpthread-2.12.so 39d9c17000-39d9e17000 ---p 00017000 fd:00 2884017 /lib64/libpthread-2.12.so 39d9e17000-39d9e18000 r--p 00017000 fd:00 2884017 /lib64/libpthread-2.12.so 39d9e18000-39d9e19000 rw-p 00018000 fd:00 2884017 /lib64/libpthread-2.12.so 39d9e19000-39d9e1d000 rw-p 00000000 00:00 0 39da000000-39da007000 r-xp 00000000 fd:00 2884018 /lib64/librt-2.12.so 39da007000-39da206000 ---p 00007000 fd:00 2884018 /lib64/librt-2.12.so 39da206000-39da207000 r--p 00006000 fd:00 2884018 /lib64/librt-2.12.so 39da207000-39da208000 rw-p 00007000 fd:00 2884018 /lib64/librt-2.12.so 39da400000-39da483000 r-xp 00000000 fd:00 2884036 /lib64/libm-2.12.so 39da483000-39da682000 ---p 00083000 fd:00 2884036 /lib64/libm-2.12.so 39da682000-39da683000 r--p 00082000 fd:00 2884036 /lib64/libm-2.12.so 39da683000-39da684000 rw-p 00083000 fd:00 2884036 /lib64/libm-2.12.so 39da800000-39da815000 r-xp 00000000 fd:00 2884034 /lib64/libz.so.1.2.3 39da815000-39daa14000 ---p 00015000 fd:00 2884034 /lib64/libz.so.1.2.3 39daa14000-39daa15000 r--p 00014000 fd:00 2884034 /lib64/libz.so.1.2.3 39daa15000-39daa16000 rw-p 00015000 fd:00 2884034 /lib64/libz.so.1.2.3 39db000000-39db01d000 r-xp 00000000 fd:00 2884023 /lib64/libselinux.so.1 39db01d000-39db21c000 ---p 0001d000 fd:00 2884023 /lib64/libselinux.so.1 39db21c000-39db21d000 r--p 0001c000 fd:00 2884023 /lib64/libselinux.so.1 39db21d000-39db21e000 rw-p 0001d000 fd:00 2884023 /lib64/libselinux.so.1 39db21e000-39db21f000 rw-p 00000000 00:00 0 39db400000-39db416000 r-xp 00000000 fd:00 2884022 /lib64/libresolv-2.12.so 39db416000-39db616000 ---p 00016000 fd:00 2884022 /lib64/libresolv-2.12.so 39db616000-39db617000 r--p 00016000 fd:00 2884022 /lib64/libresolv-2.12.so 39db617000-39db618000 rw-p 00017000 fd:00 2884022 /lib64/libresolv-2.12.so 39db618000-39db61a000 rw-p 00000000 00:00 0 39e4c00000-39e4c16000 r-xp 00000000 fd:00 2884051 /lib64/libgcc_s-4.4.7-20120601.so.1 39e4c16000-39e4e15000 ---p 00016000 fd:00 2884051 /lib64/libgcc_s-4.4.7-20120601.so.1 39e4e15000-39e4e16000 rw-p 00015000 fd:00 2884051 /lib64/libgcc_s-4.4.7-20120601.so.1 39e5000000-39e5007000 r-xp 00000000 fd:00 2883589 /lib64/libcrypt-2.12.so 39e5007000-39e5207000 ---p 00007000 fd:00 2883589 /lib64/libcrypt-2.12.so 39e5207000-39e5208000 r--p 00007000 fd:00 2883589 /lib64/libcrypt-2.12.so 39e5208000-39e5209000 rw-p 00008000 fd:00 2883589 /lib64/libcrypt-2.12.so 39e5209000-39e5237000 rw-p 00000000 00:00 0 39e5400000-39e5402000 r-xp 00000000 fd:00 2884019 /lib64/libfreebl3.so 39e5402000-39e5601000 ---p 00002000 fd:00 2884019 /lib64/libfreebl3.so 39e5601000-39e5602000 r--p 00001000 fd:00 2884019 /lib64/libfreebl3.so 39e5602000-39e5603000 rw-p 00002000 fd:00 2884019 /lib64/libfreebl3.so 39e6c00000-39e6c03000 r-xp 00000000 fd:00 2884026 /lib64/libcom_err.so.2.1 39e6c03000-39e6e02000 ---p 00003000 fd:00 2884026 /lib64/libcom_err.so.2.1 39e6e02000-39e6e03000 r--p 00002000 fd:00 2884026 /lib64/libcom_err.so.2.1 39e6e03000-39e6e04000 rw-p 00003000 fd:00 2884026 /lib64/libcom_err.so.2.1 39e7c00000-39e7c02000 r-xp 00000000 fd:00 2884021 /lib64/libkeyutils.so.1.3 39e7c02000-39e7e01000 ---p 00002000 fd:00 2884021 /lib64/libkeyutils.so.1.3 39e7e01000-39e7e02000 r--p 00001000 fd:00 2884021 /lib64/libkeyutils.so.1.3 39e7e02000-39e7e03000 rw-p 00002000 fd:00 2884021 /lib64/libkeyutils.so.1.3 39e8000000-39e8029000 r-xp 00000000 fd:00 2884025 /lib64/libk5crypto.so.3.1 39e8029000-39e8229000 ---p 00029000 fd:00 2884025 /lib64/libk5crypto.so.3.1 39e8229000-39e822a000 r--p 00029000 fd:00 2884025 /lib64/libk5crypto.so.3.1 39e822a000-39e822b000 rw-p 0002a000 fd:00 2884025 /lib64/libk5crypto.so.3.1 39e822b000-39e822c000 rw-p 00000000 00:00 0 39e8400000-39e840a000 r-xp 00000000 fd:00 2884024 /lib64/libkrb5support.so.0.1 39e840a000-39e8609000 ---p 0000a000 fd:00 2884024 /lib64/libkrb5support.so.0.1 39e8609000-39e860a000 r--p 00009000 fd:00 2884024 /lib64/libkrb5support.so.0.1 39e860a000-39e860b000 rw-p 0000a000 fd:00 2884024 /lib64/libkrb5support.so.0.1 39e8800000-39e88db000 r-xp 00000000 fd:00 2884027 /lib64/libkrb5.so.3.3 39e88db000-39e8adb000 ---p 000db000 fd:00 2884027 /lib64/libkrb5.so.3.3 39e8adb000-39e8ae5000 r--p 000db000 fd:00 2884027 /lib64/libkrb5.so.3.3 39e8ae5000-39e8ae7000 rw-p 000e5000 fd:00 2884027 /lib64/libkrb5.so.3.3 39e9000000-39e9041000 r-xp 00000000 fd:00 2883660 /lib64/libgssapi_krb5.so.2.2 39e9041000-39e9241000 ---p 00041000 fd:00 2883660 /lib64/libgssapi_krb5.so.2.2 39e9241000-39e9242000 r--p 00041000 fd:00 2883660 /lib64/libgssapi_krb5.so.2.2 39e9242000-39e9244000 rw-p 00042000 fd:00 2883660 /lib64/libgssapi_krb5.so.2.2 7f45dc000000-7f45dc021000 rw-p 00000000 00:00 0 7f45dc021000-7f45e0000000 ---p 00000000 00:00 0 7f45e1c17000-7f45e1c2d000 rw-s 00000000 00:04 50834 /dev/zero (deleted) 7f45e1c2d000-7f45e1c3a000 r-xp 00000000 fd:00 2883616 /lib64/libnss_files-2.12.so 7f45e1c3a000-7f45e1e39000 ---p 0000d000 fd:00 2883616 /lib64/libnss_files-2.12.so 7f45e1e39000-7f45e1e3a000 r--p 0000c000 fd:00 2883616 /lib64/libnss_files-2.12.so 7f45e1e3a000-7f45e1e3b000 rw-p 0000d000 fd:00 2883616 /lib64/libnss_files-2.12.so 7f45e1e3b000-7f45e1e40000 r-xp 00000000 fd:00 530252 /usr/local/apache/modules/mod_suphp.so 7f45e1e40000-7f45e203f000 ---p 00005000 fd:00 530252 /usr/local/apache/modules/mod_suphp.so 7f45e203f000-7f45e2040000 rw-p 00004000 fd:00 530252 /usr/local/apache/modules/mod_suphp.so 7f45e2040000-7f45e2049000 rw-p 00000000 00:00 0 7f45e2049000-7f45e207a000 r-xp 00000000 fd:00 527504 /usr/local/apr/lib/libapr-1.so.0.5.1 7f45e207a000-7f45e2279000 ---p 00031000 fd:00 527504 /usr/local/apr/lib/libapr-1.so.0.5.1 7f45e2279000-7f45e227b000 rw-p 00030000 fd:00 527504 /usr/local/apr/lib/libapr-1.so.0.5.1 7f45e227b000-7f45e227c000 rw-p 00000000 00:00 0 7f45e227c000-7f45e22a1000 r-xp 00000000 fd:00 527518 /usr/local/apr/lib/libexpat.so.0.5.0 7f45e22a1000-7f45e24a0000 ---p 00025000 fd:00 527518 /usr/local/apr/lib/libexpat.so.0.5.0 7f45e24a0000-7f45e24a3000 rw-p 00024000 fd:00 527518 /usr/local/apr/lib/libexpat.so.0.5.0 7f45e24a3000-7f45e24c7000 r-xp 00000000 fd:00 527522 /usr/local/apr/lib/libaprutil-1.so.0.5.3 7f45e24c7000-7f45e26c6000 ---p 00024000 fd:00 527522 /usr/local/apr/lib/libaprutil-1.so.0.5.3 7f45e26c6000-7f45e26c8000 rw-p 00023000 fd:00 527522 /usr/local/apr/lib/libaprutil-1.so.0.5.3 7f45e26c8000-7f45e26ca000 rw-p 00000000 00:00 0 7f45e26dc000-7f45e26dd000 rw-p 00000000 00:00 0 7f45e26dd000-7f45e26de000 rw-p 00000000 00:00 0 7ffd1c687000-7ffd1c69c000 rw-p 00000000 00:00 0 [stack] 7ffd1c6a3000-7ffd1c6a4000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] [Sun Jul 09 12:46:19 2017] [notice] caught SIGTERM, shutting down [Sun Jul 09 12:46:20 2017] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Sun Jul 09 12:46:20 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec) [Sun Jul 09 12:46:21 2017] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips configured -- resuming normal operations

    This is the error_log on before and after 9:36

    [Sun Jul 09 08:58:01 2017] [error] [client 35.184.189.free105] File does not exist: /usr/local/apache/htdocs/robots.txt [Sun Jul 09 12:46:11 2017] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]

  • yokowasisyokowasis Member
    edited July 2017

    when I look into access_log there are some strange request

    108.162.216.166 - - [09/Jul/2017:13:34:10 +0800] "GET /cteabt-GFyxfn/dovsximijr/38/39651035_szxdmvb_wtjj_kfrv_18740_36009/ HTTP/1.1" 200 22619 35.184.189.105 - - [09/Jul/2017:13:34:15 +0800] "GET /robots.txt HTTP/1.1" 200 67 162.158.75.100 - - [09/Jul/2017:13:34:23 +0800] "GET /yyaw-156549/26-cybtsm-s1155_wmtx HTTP/1.1" 301 3 162.158.74.51 - - [09/Jul/2017:13:34:23 +0800] "GET /wybsm/17vgskrt-2566_1mv2sv2y.html HTTP/1.1" 301 3

    Tried to find that file, but it is nowhere to be found.

  • yokowasisyokowasis Member
    edited July 2017

    Can I just slam a cronjob and restart the apache every hour ? I hate going to the office on Sunday just to put one line of command. I can't even SSH to my box.

    And it's government site if that has any difference

  • SplitIceSplitIce Member, Host Rep

    @yokowasis said:
    when I look into access_log there are some strange request

    108.162.216.166 - - [09/Jul/2017:13:34:10 +0800] "GET /cteabt-GFyxfn/dovsximijr/38/39651035_szxdmvb_wtjj_kfrv_18740_36009/ HTTP/1.1" 200 22619 35.184.189.105 - - [09/Jul/2017:13:34:15 +0800] "GET /robots.txt HTTP/1.1" 200 67 162.158.75.100 - - [09/Jul/2017:13:34:23 +0800] "GET /yyaw-156549/26-cybtsm-s1155_wmtx HTTP/1.1" 301 3 162.158.74.51 - - [09/Jul/2017:13:34:23 +0800] "GET /wybsm/17vgskrt-2566_1mv2sv2y.html HTTP/1.1" 301 3

    Tried to find that file, but it is nowhere to be found.

    That looks like an attack I saw years ago which was from a malicious SWF file on a popular site. It's random letters and numbers.

  • hanoihanoi Member

    Seem just some brute-force attacked.

  • rskrsk Member, Patron Provider

    yokowasis said: Stupid Quick Question : Can I just slam a CPM ads on my page and get some $$$ for 100K++ Visit ?

    >

    yokowasis said: And it's government site if that has any difference

    :)

    Thanked by 1GoatSeller
  • yokowasis said: Stupid Quick Question : Can I just slam a CPM ads on my page and get some $$$ for 100K++ Visit ?

    Advertiser gets upset due to shit traffic

  • vovlervovler Member
    edited July 2017

    With ads you'll be banned from the network pretty fast as CPM networks are used to deal with SPAM.

    Check what file is being loaded.
    Index?
    WordPress login page?
    WordPress xmlrpc.php?
    It's not a big attack most likely just a mass bruteforce login attempt.

    If the attack stops either they ran of passwords or stopped at a certain difficulty level. Or they got in ...

    ------------EDIT

    Also, CPM ads are loaded via JavaScript, bots won't execute JavaScript.
    For DDOS it's useless since JavaScript is client-side.
    Bruteforce attacks just run a bunch of POSTs and also don't execute JavaScript.

  • It loaded random file. Sometimes PDF, doc, jpg , or others. My website host a lot of documents.

    According to my log above. They using GET instead of POST. And apparently some request is just random giberish stuff which is non existent on my website.

    @vovler said:
    With ads you'll be banned from the network pretty fast as CPM networks are used to deal with SPAM.

    Check what file is being loaded.
    Index?
    WordPress login page?
    WordPress xmlrpc.php?
    It's not a big attack most likely just a mass bruteforce login attempt.

    If the attack stops either they ran of passwords or stopped at a certain difficulty level. Or they got in ...

    ------------EDIT

    Also, CPM ads are loaded via JavaScript, bots won't execute JavaScript.
    For DDOS it's useless since JavaScript is client-side.
    Bruteforce attacks just run a bunch of POSTs and also don't execute JavaScript.

  • vovlervovler Member

    Either it's a DDOS or is some bot trying to find a login page. Or spiders going crazy.
    Is it the same IP or multiple ones? One country or multiple?

  • Multiple ip and multiple country.

  • Upgrade your Apache and related libraries. The crash is happening at PCRE and free is getting called on an invalid pointer. Maybe it is a code injection attack.

  • SplitIceSplitIce Member, Host Rep

    msg7086 said: It's not a typical DDoS attack.

    FYI while it's not your lazy booter L7-AMP attacks like this are fairly common to defeat caching systems like in CloudFlare and Wordpress.

  • Thanked by 1nulldev
Sign In or Register to comment.