New on LowEndTalk? Please Register and read our Community Rules.
[Help] Detect IP and block DDOS
thuvienvps
Member
in Help
Hi,
My site is under ddos attack, as far as i know it's small ddos attack with arround 50-100 IP (botnet)
I try to block IP with csf but it's hard to block IP one by one manually.
Is there any script that auto find out IP with many connections then add it to csf.deny list?
Many thanks for your help!
This discussion has been closed.
LowEndBox & LowEndTalk.
Comments
What type of traffic are you getting?
I'm new to Linux so i dont know how to find out type of ddos attack, please let me how to find out
P/S: I'm running Nginx, PHP-FPM, MySQL.
To find out the IPs (number of connections followed by the IP):
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 100To block the IP using iptables (replace 0.0.0.0 with the actual IP):
iptables -A INPUT -s 0.0.0.0 -j DROPOr add the IP to csf.deny:
echo 0.0.0.0 >> /path/to/csf.denyorcsf -d 0.0.0.0(credits to @ATHK)You should be able to block the IPs automatically using a for/do loop + cron jobs.
Recommended Provider
It sounds like you can still access your server through SSH, do you get any packet loss? Is your site just down?
Here is image when i run netstat command to see connection.
csf -D IP comment
Easier..
yes, i'm able to access via SSH. My webserver give 502 Bad gateway nginx
First command show:
First WHOIS them (so you don't block legitimate IPs), then block accordingly.
Recommended Provider
There are so many IP, it's imposible to whois each IP.
Then just block them all if you don't want to check lol.
Recommended Provider
Your reply is useless to this case. Thanks!
Wow, how rude. Fuck off mate, he's given you quite a bit of help, and you reply with this?
Wow.
This signature wasted 121 bytes of your data allocation.https://nixstats.com/report/56b53d6465689e44598b4567
I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.
If you don't want my help, sure, and let the DDoS keep going; otherwise, block all IPs here http://i.imgur.com/wsHxFFb.png
Recommended Provider
Have you paid him anything? Have you paid us anything? Go hire a sysadmin and appreciate other people's time and effort.
This signature wasted 121 bytes of your data allocation.https://nixstats.com/report/56b53d6465689e44598b4567
Check your logs and see how they're accessing your server, then install fail2ban with a custom jail and filter which looks at the log where the access logs are being output too.
Then in (I think) the action set it to add the IP to csf.deny using either the echo command above or csf -D IP
You can follow something like this Apache Post flood rule - http://klcollins.org/2013/09/fail2ban-love/
With custom regex in the filter you can pretty much target anything in the log files.
It looks promise, great thanks for your help!!
Well it actually works and does a damn good job, we had that post flood on one of our servers at work, that was when it was a small attack.. it grew and it grew huge I'm taking 30-40 + IPs a second.. we ended up moving the problem site onto something with DDOS protection.
install conntrack tools:
And run with
★ VPS in Spain ☛ 5.99€/month ★ We accept Bitcoins! ★ DMCA ignore ★
Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...
Post it to pastebin /pastie & post link here* please
It seems you installed CSF and haven't configured it yet. Change CONNLIMIT, PORTFLOOD and some other settings in csf.conf may help
Here is access log: http://pastebin.com/yrmVQiSA
P/S: i'm running vbulletin site, not wordpress
http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
You pissed someone off in Vietnam.
@Mun ... you rock
just to make sure I got it right... this does need to be added to the vhost, doesn't it?
So that can be under either http {} server{} or location {}
You could use something like https://github.com/Prajithp/nginx-anti-ddos ?
SamuraiBit Security
@Monster looks nice...
@Mun ... Is there a chance that the dotdeb would add this to the extras
I wouldn't know. PM dotdeb on twitter and ask.
messaged.. will update if they reply
Dotdeb nginx has ngx_http_limit_req_module.
Add something like this to your http part:
limit_req_zone $binary_remote_addr zone=limit:50m rate=5r/s;
Then go to your site in sites-available and add this to one or all of the locations:
limit_req zone=limit burst=5 nodelay;
Why not install DDoS Deflate to do this automatically for you? It blocks connections that exceed 150 by default, but you can adjust that in its config file. Here's how to install it:
The configuration file is at: /usr/local/ddos/ddos.conf
To see how many connections by which IP, run: ddos
The root directory for the project is: http://www.inetbase.com/scripts/ddos/
It contains the uninstall and install files as well as many others
Founded in 2014 by Giovanni Mounir and Vishaal Soekhradj, we are proud to have been able to serve over 2.5K customers for the past 3 years.
— 2017.
Many thanks for your help! It seems DDoS Deflate cant protect my site.
Does anyone what what type of DDOS? Is it HTTP Flood?
Access log here: http://pastebin.com/yrmVQiSA
Try something like this to block HTTP 1.0 from browsers that should be using http 1.1.
if ($server_protocol ~* "HTTP/1.0") {if ($http_user_agent ~* "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) ) {
return 444;
}
}
If that does not work you could just block all HTTP 1.0 requests.
if ($server_protocol ~* "HTTP/1.0") {return 444;
}
Please don't tell me off for using if in nginx, I'm a lighttpd fan!