Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
[Help] Detect IP and block DDOS
New on LowEndTalk? Please Register and read our Community Rules.

[Help] Detect IP and block DDOS

Hi,

My site is under ddos attack, as far as i know it's small ddos attack with arround 50-100 IP (botnet)

I try to block IP with csf but it's hard to block IP one by one manually.
Is there any script that auto find out IP with many connections then add it to csf.deny list?

Many thanks for your help!

Comments

  • What type of traffic are you getting?

    Thanked by 1thuvienvps
  • thuvienvpsthuvienvps Member
    edited October 2014

    @linuxthefish said:
    What type of traffic are you getting?

    I'm new to Linux so i dont know how to find out type of ddos attack, please let me how to find out

    P/S: I'm running Nginx, PHP-FPM, MySQL.

  • ausaus Member
    edited October 2014

    To find out the IPs (number of connections followed by the IP):

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 100

    To block the IP using iptables (replace 0.0.0.0 with the actual IP):

    iptables -A INPUT -s 0.0.0.0 -j DROP

    Or add the IP to csf.deny:

    echo 0.0.0.0 >> /path/to/csf.deny or csf -d 0.0.0.0 (credits to @ATHK)

    You should be able to block the IPs automatically using a for/do loop + cron jobs.

  • @thuvienvps said:
    P/S: I'm running Nginx, PHP-FPM, MySQL.

    It sounds like you can still access your server through SSH, do you get any packet loss? Is your site just down?

  • Here is image when i run netstat command to see connection.

  • @aus said:
    Or add the IP to csf.deny:

    echo 0.0.0.0 >> /path/to/csf.deny

    csf -D IP comment

    Easier..

    Thanked by 1aus
  • @linuxthefish said:
    It sounds like you can still access your server through SSH, do you get any packet loss? Is your site just down?

    yes, i'm able to access via SSH. My webserver give 502 Bad gateway nginx

  • @aus said:
    To find out the IPs (number of connections followed by the IP):

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 100

    To block the IP using iptables (replace 0.0.0.0 with the actual IP):

    iptables -A INPUT -s 0.0.0.0 -j DROP

    Or add the IP to csf.deny:

    echo 0.0.0.0 >> /path/to/csf.deny or csf -d 0.0.0.0 (credits to ATHK)

    You should be able to block the IPs automatically using a for/do loop + cron jobs.

    First command show:

  • ausaus Member

    @thuvienvps said:

    First WHOIS them (so you don't block legitimate IPs), then block accordingly.

  • @aus said:
    First WHOIS them (so you don't block legitimate IPs), then block accordingly.

    There are so many IP, it's imposible to whois each IP.

  • ausaus Member

    @thuvienvps said:
    There are so many IP, it's imposible to whois each IP.

    Then just block them all if you don't want to check lol.

  • @aus said:
    Then just block them all if you don't want to check lol.

    Your reply is useless to this case. Thanks!

  • @thuvienvps said:
    Your reply is useless to this case. Thanks!

    Wow, how rude. Fuck off mate, he's given you quite a bit of help, and you reply with this?

    Wow.

    Thanked by 1HyperSpeed

    This signature wasted 121 bytes of your data allocation.

    https://nixstats.com/report/56b53d6465689e44598b4567

  • @0xdragon said:
    Wow.

    I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.

  • ausaus Member

    @thuvienvps said:
    I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.

    If you don't want my help, sure, and let the DDoS keep going; otherwise, block all IPs here http://i.imgur.com/wsHxFFb.png

  • @thuvienvps said:
    I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.

    Have you paid him anything? Have you paid us anything? Go hire a sysadmin and appreciate other people's time and effort.

    This signature wasted 121 bytes of your data allocation.

    https://nixstats.com/report/56b53d6465689e44598b4567

  • Check your logs and see how they're accessing your server, then install fail2ban with a custom jail and filter which looks at the log where the access logs are being output too.

    Then in (I think) the action set it to add the IP to csf.deny using either the echo command above or csf -D IP

    You can follow something like this Apache Post flood rule - http://klcollins.org/2013/09/fail2ban-love/

    With custom regex in the filter you can pretty much target anything in the log files.

    Thanked by 1thuvienvps
  • @ATHK said:
    Check your logs and see how they're accessing your server, then install fail2ban with a custom jail and filter which looks at the log where the access logs are being output too.

    Then in (I think) the action set it to add the IP to csf.deny using either the echo command above or csf -D IP

    You can follow something like this Apache Post flood rule - http://klcollins.org/2013/09/fail2ban-love/

    With custom regex in the filter you can pretty much target anything in the log files.

    It looks promise, great thanks for your help!!

  • @thuvienvps said:
    It looks promise, great thanks for your help!!

    Well it actually works and does a damn good job, we had that post flood on one of our servers at work, that was when it was a small attack.. it grew and it grew huge I'm taking 30-40 + IPs a second.. we ended up moving the problem site onto something with DDOS protection.

  • jmginerjmginer Member, Provider

    install conntrack tools:

    cd ~; yum install unzip -y; wget http://ipv4.ginernet.com/downloads/conntrack-tools.zip; unzip conntrack-tools.zip; cd conntrack-tools; rpm -Uhv *; cd ~; 
    

    And run with

    conntrack -L > conn; cat conn | more;
    Voxility DDoS protected BGP starting from 250 EUR/month. Contact us.
    VPS in Spain ☛ 5.99€/month ★ We accept Bitcoins! ★ DMCA ignore ★
  • linuxthefishlinuxthefish Member
    edited October 2014

    Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...

    Thanked by 1thuvienvps
  • @linuxthefish said:
    Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...

    Post it to pastebin /pastie & post link here* please

  • It seems you installed CSF and haven't configured it yet. Change CONNLIMIT, PORTFLOOD and some other settings in csf.conf may help :)

  • thuvienvpsthuvienvps Member
    edited October 2014

    @linuxthefish said:
    Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...

    Here is access log: http://pastebin.com/yrmVQiSA

    P/S: i'm running vbulletin site, not wordpress

  • MunMun Member without signature

    You pissed someone off in Vietnam.

  • @Mun ... you rock

    just to make sure I got it right... this does need to be added to the vhost, doesn't it?

  • MunMun Member without signature

    @ez2uk said:
    Mun ... you rock

    just to make sure I got it right... this does need to be added to the vhost, doesn't it?

    Syntax: limit_conn zone number;
    Default:    —
    Context:    http, server, location
    

    So that can be under either http {} server{} or location {}

    Thanked by 1kkrajk
  • You could use something like https://github.com/Prajithp/nginx-anti-ddos ?

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • @Monster looks nice...

    @Mun ... Is there a chance that the dotdeb would add this to the extras

  • MunMun Member without signature

    @ez2uk said:
    Monster looks nice...

    Mun ... Is there a chance that the dotdeb would add this to the extras

    I wouldn't know. PM dotdeb on twitter and ask.

  • messaged.. will update if they reply

  • Dotdeb nginx has ngx_http_limit_req_module.

    Add something like this to your http part:

    limit_req_zone $binary_remote_addr zone=limit:50m rate=5r/s;

    Then go to your site in sites-available and add this to one or all of the locations:

    limit_req zone=limit burst=5 nodelay;

    Thanked by 2thuvienvps kkrajk
  • VereloxVerelox Member, Provider

    Why not install DDoS Deflate to do this automatically for you? It blocks connections that exceed 150 by default, but you can adjust that in its config file. Here's how to install it:

    wget http://www.inetbase.com/scripts/ddos/install.sh
    chmod +x install.sh
    sh install.sh
    

    The configuration file is at: /usr/local/ddos/ddos.conf

    To see how many connections by which IP, run: ddos

    The root directory for the project is: http://www.inetbase.com/scripts/ddos/

    It contains the uninstall and install files as well as many others

  • @Verelox said:
    Why not install DDoS Deflate to do this automatically for you? It blocks connections that exceed 150 by default, but you can adjust that in its config file. Here's how to install it:

    > wget http://www.inetbase.com/scripts/ddos/install.sh
    > chmod +x install.sh
    > sh install.sh
    > 

    The configuration file is at: /usr/local/ddos/ddos.conf

    To see how many connections by which IP, run: ddos

    The root directory for the project is: http://www.inetbase.com/scripts/ddos/

    It contains the uninstall and install files as well as many others

    Many thanks for your help! It seems DDoS Deflate cant protect my site.
    Does anyone what what type of DDOS? Is it HTTP Flood?
    Access log here: http://pastebin.com/yrmVQiSA

  • linuxthefishlinuxthefish Member
    edited October 2014

    Try something like this to block HTTP 1.0 from browsers that should be using http 1.1.

    if ($server_protocol ~* "HTTP/1.0") {
    if ($http_user_agent ~* "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) ) {
    return 444;
    }
    }

    If that does not work you could just block all HTTP 1.0 requests.

    if ($server_protocol ~* "HTTP/1.0") {
    return 444;
    }

    Please don't tell me off for using if in nginx, I'm a lighttpd fan!

    Thanked by 1thuvienvps
This discussion has been closed.