Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Help] Detect IP and block DDOS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Help] Detect IP and block DDOS

Hi,

My site is under ddos attack, as far as i know it's small ddos attack with arround 50-100 IP (botnet)

I try to block IP with csf but it's hard to block IP one by one manually.
Is there any script that auto find out IP with many connections then add it to csf.deny list?

Many thanks for your help!

«1

Comments

  • What type of traffic are you getting?

    Thanked by 1thuvienvps
  • thuvienvpsthuvienvps Member
    edited October 2014

    @linuxthefish said:
    What type of traffic are you getting?

    I'm new to Linux so i dont know how to find out type of ddos attack, please let me how to find out

    P/S: I'm running Nginx, PHP-FPM, MySQL.

  • ausaus Member
    edited October 2014

    To find out the IPs (number of connections followed by the IP):

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 100

    To block the IP using iptables (replace 0.0.0.0 with the actual IP):

    iptables -A INPUT -s 0.0.0.0 -j DROP

    Or add the IP to csf.deny:

    echo 0.0.0.0 >> /path/to/csf.deny or csf -d 0.0.0.0 (credits to @ATHK)

    You should be able to block the IPs automatically using a for/do loop + cron jobs.

  • @thuvienvps said:
    P/S: I'm running Nginx, PHP-FPM, MySQL.

    It sounds like you can still access your server through SSH, do you get any packet loss? Is your site just down?

  • Here is image when i run netstat command to see connection.

  • @aus said:
    Or add the IP to csf.deny:

    echo 0.0.0.0 >> /path/to/csf.deny

    csf -D IP comment

    Easier..

    Thanked by 1aus
  • @linuxthefish said:
    It sounds like you can still access your server through SSH, do you get any packet loss? Is your site just down?

    yes, i'm able to access via SSH. My webserver give 502 Bad gateway nginx

  • @aus said:
    To find out the IPs (number of connections followed by the IP):

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 100

    To block the IP using iptables (replace 0.0.0.0 with the actual IP):

    iptables -A INPUT -s 0.0.0.0 -j DROP

    Or add the IP to csf.deny:

    echo 0.0.0.0 >> /path/to/csf.deny or csf -d 0.0.0.0 (credits to ATHK)

    You should be able to block the IPs automatically using a for/do loop + cron jobs.

    First command show:

  • ausaus Member

    @thuvienvps said:

    First WHOIS them (so you don't block legitimate IPs), then block accordingly.

  • @aus said:
    First WHOIS them (so you don't block legitimate IPs), then block accordingly.

    There are so many IP, it's imposible to whois each IP.

  • ausaus Member

    @thuvienvps said:
    There are so many IP, it's imposible to whois each IP.

    Then just block them all if you don't want to check lol.

  • @aus said:
    Then just block them all if you don't want to check lol.

    Your reply is useless to this case. Thanks!

  • @thuvienvps said:
    Your reply is useless to this case. Thanks!

    Wow, how rude. Fuck off mate, he's given you quite a bit of help, and you reply with this?

    Wow.

    Thanked by 1HyperSpeed
  • @0xdragon said:
    Wow.

    I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.

  • ausaus Member

    @thuvienvps said:
    I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.

    If you don't want my help, sure, and let the DDoS keep going; otherwise, block all IPs here http://i.imgur.com/wsHxFFb.png

  • @thuvienvps said:
    I'm tired of with DDOS and he said me block all IP, how does this help or just spam comment.

    Have you paid him anything? Have you paid us anything? Go hire a sysadmin and appreciate other people's time and effort.

  • Check your logs and see how they're accessing your server, then install fail2ban with a custom jail and filter which looks at the log where the access logs are being output too.

    Then in (I think) the action set it to add the IP to csf.deny using either the echo command above or csf -D IP

    You can follow something like this Apache Post flood rule - http://klcollins.org/2013/09/fail2ban-love/

    With custom regex in the filter you can pretty much target anything in the log files.

    Thanked by 1thuvienvps
  • @ATHK said:
    Check your logs and see how they're accessing your server, then install fail2ban with a custom jail and filter which looks at the log where the access logs are being output too.

    Then in (I think) the action set it to add the IP to csf.deny using either the echo command above or csf -D IP

    You can follow something like this Apache Post flood rule - http://klcollins.org/2013/09/fail2ban-love/

    With custom regex in the filter you can pretty much target anything in the log files.

    It looks promise, great thanks for your help!!

  • @thuvienvps said:
    It looks promise, great thanks for your help!!

    Well it actually works and does a damn good job, we had that post flood on one of our servers at work, that was when it was a small attack.. it grew and it grew huge I'm taking 30-40 + IPs a second.. we ended up moving the problem site onto something with DDOS protection.

  • jmginerjmginer Member, Patron Provider

    install conntrack tools:

    cd ~; yum install unzip -y; wget http://ipv4.ginernet.com/downloads/conntrack-tools.zip; unzip conntrack-tools.zip; cd conntrack-tools; rpm -Uhv *; cd ~; 
    

    And run with

    conntrack -L > conn; cat conn | more;
  • linuxthefishlinuxthefish Member
    edited October 2014

    Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...

    Thanked by 1thuvienvps
  • @linuxthefish said:
    Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...

    Post it to pastebin /pastie & post link here* please

  • It seems you installed CSF and haven't configured it yet. Change CONNLIMIT, PORTFLOOD and some other settings in csf.conf may help :)

  • thuvienvpsthuvienvps Member
    edited October 2014

    @linuxthefish said:
    Paste the output of "tail -n 1000 /var/log/nginx/access*" here so we can see if it's a wordpress pingback attack, they are very common around here...

    Here is access log: http://pastebin.com/yrmVQiSA

    P/S: i'm running vbulletin site, not wordpress

  • MunMun Member

    You pissed someone off in Vietnam.

  • @Mun ... you rock

    just to make sure I got it right... this does need to be added to the vhost, doesn't it?

  • MunMun Member

    @ez2uk said:
    Mun ... you rock

    just to make sure I got it right... this does need to be added to the vhost, doesn't it?

    Syntax: limit_conn zone number;
    Default:    —
    Context:    http, server, location
    

    So that can be under either http {} server{} or location {}

    Thanked by 1kkrajk
  • You could use something like https://github.com/Prajithp/nginx-anti-ddos ?

  • @Monster looks nice...

    @Mun ... Is there a chance that the dotdeb would add this to the extras

This discussion has been closed.