Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Need help blocking DOS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need help blocking DOS

BlazeMuisBlazeMuis Member
edited May 2012 in General

Hey

So someone is attacking my VPS with DoS... only 700 kb/s though

But how can i see his IP, and block it?

Comments

  • MrAndroidMrAndroid Member
    edited May 2012

    Look at netstat, look which IP has the most connections.

    Then use iptables to drop it,

    http://www.cyberciti.biz/faq/linux-iptables-drop/

    and no it isn't me.

    Thanked by 2Coffee [Deleted User]
  • BlazeMuisBlazeMuis Member

    with netstat i only see my VPS's IP?

  • MrAndroidMrAndroid Member

    @joodle said: with netstat i only see my VPS's IP?

    Post the output of netstat

  • JacobJacob Member

    Install iftop, You will proberly need to add another repository if you are on 5.x

    It will list IP Addresses Individually and put the data transfer rate at the right side.
    Then you can just easily block it on your firewall.

    Thanked by 1BlazeMuis
  • BlazeMuisBlazeMuis Member

    @Jacob

    Thanks that worked :)

  • PhilNDPhilND Member

    If it's a SYN flood and you can't afford a hardware firewall, to block it use varnish.

    Stick varnish infront of your apache/nginx setup and it'll filter all the SYN crap away from the backend webserver.

    We do this for a number of client's who experience SYN flooding issues, since most of the IP's are spoofed you cannot block them all with IPTables

    Hope this helps,
    Phil

  • quirkyquarkquirkyquark Member

    @joodle: sure you didn't copy and paste the wrong IP in the DDoS script on your other VPS?

    :p :p :p. I kid, I kid. I know you've turned over a new leaf.

  • dmmcintyre3dmmcintyre3 Member

    @PhilND nginx is handling the SYN flood without trouble, but the kernel isn't

  • BlazeMuisBlazeMuis Member

    @quirkyquark said: @joodle: sure you didn't copy and paste the wrong IP in the DDoS script on your other VPS?

    I don't got a DDoS script on my other VPS :P (I just got a booter)

  • AldryicAldryic Member
    edited May 2012

    Here's a novel idea. Stop ripping sites and stay off of HackForums. Don't get your feet dirty, and you won't track filth all over your house.

    Thanked by 5LES Wintereise TheHackBox NateN34 marrco
  • BlazeMuisBlazeMuis Member

    @Aldryic said: Here's a novel idea. Stop ripping sites and stay off of HackForums. Stop getting your feet dirty, and you won't track filth all over your house.

    I dont rip sites anymore, but i love hackforums, will never leave them

  • PhilNDPhilND Member

    @dmmcintyre3

    Even with SYN Cookies and rate limiting on Nginx we ALWAYS had the issue of the nginx webserver falling over and dying with a huge inbound SYN flood.. since we put varnish (yes it's a cache, but it's designed from the ground up to be a HTTP Accelerator)
    infront of nginx we never even have to look at a SYN Flood anymore, ever. The only problem we do have is huge incoming UDP floods.

    Phil

  • dmmcintyre3dmmcintyre3 Member

    @PhilND I had nginx reporting 8k connections yesterday, with 800 requests/second but the kernel on the 128mb Xen was really having issues. (had to disable nf_conntrack to even get it to ping without 98% packet loss)

  • KuJoeKuJoe Member, Host Rep

    Show how many connections each IP is making:
    netstat -plan | awk '{print $5}' | awk -F : '{print $(NF-1)}' | egrep -v "Address|and|servers|State|DGRAM|]|STREAM" | sort | uniq -c | sort -n

    Thanked by 2beard marrco
  • MrDOSMrDOS Member

    Why would you want to block me? o_O

    Thanked by 4TheHackBox Francisco Aldryic maxexcloo
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @MrDOS said: Why would you want to block me? o_O

    slow clap

    Thanked by 1maxexcloo
Sign In or Register to comment.