The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ddos? HELP PLEASE> [moved]

Discussion in 'Database Discussions' started by xghozt, Oct 15, 2005.

  1. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    ddos? HELP PLEASE>

    I did some reaserch and it looks like im being flooded..

    by ddos..or something..

    my website completely goes down for like 2 hours.. I think someone is doing this..

    How can I stop them?
     
  2. aby

    aby Well-Known Member

    Joined:
    May 31, 2005
    Messages:
    638
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Do you own the server ? Please check the apache logs..
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Check the log files and monitor the load of your server. You also need to find out who is doing that to your server. Overall, you need to secure your server and upgrade aaddons to the latest release(s).
     
  4. pshepperd

    pshepperd Well-Known Member

    Joined:
    Feb 12, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Setup APF and set it to ban traffic in excess of ??? whatever you need, or if it always comes from the same IP just block it.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    And if it is a real DDOS then the only realistic way of combatting it is by your NOC at the routers. First thing is to establish what is happening and a logging iptables firewall or a port sniffer would help you with that.
     
  6. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    yea I have acces to the admin thingy and all that..

    Im new to this..How do you check the logs?

    Or set that limit thingy...

    Can I have some links or something? to help me out?
     
  7. aby

    aby Well-Known Member

    Joined:
    May 31, 2005
    Messages:
    638
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India

    Hello, i don't think you will be able to manage it if it is a real attack, since you are pretty new
    to the stuff. We won't be able to explain those stuffs so that you will be able to stop the attack just using that. So i advise you to hire someone or get somebody who can help you. Anyway they should be able to login to the server to have a check ..
     
  8. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    ok I firgured it all out..

    I just cant find where to set a limit..

    Is there a way to make it so someone cant load the same page too many times? Apparntly they are just downloading something 100 times a minet....
     
  9. Mini

    Mini Well-Known Member

    Joined:
    Mar 4, 2005
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Yes, use IPTABLES to block their IP.

    iptables -A INPUT -s BAD.IP.ADDRESS.TO.BLOCK -j DROP

    Mini
     
  10. Zaf

    Zaf Well-Known Member

    Joined:
    Aug 22, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Sent you a pm xghozt. Do check, test and let me know if that worked
     
  11. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    mod_dosevasive: http://www.nuclearelephant.com/projects/dosevasive/
    Scrutinizer: http://freshmeat.net/projects/scrutinizer/ & http://www.solutix.ch/scrutinizer/
    mod_choke: http://os.cyberheatinc.com/mod_choke.php

    APF, I have found, is only good to a certain degree... since the traffic you are having to deal with is, as far as the entire server is concerned, legitimate. For this reason, your NOC will likely not be able to properly filter it either... how are they to know which is legitimate and which is not?

    mod_dosevasive and mod_choke run from inside Apache, while Scrutinizer runs alongside. I would suggest a combo of all 3... but if you do go with scrutinizer, do not install it as a Apache plugin... set it up to run as it's own process. If you install it as a mod, it will be overwhelmed by the queries, and won't block the traffic as well (running seperately, it intercepts the queries on port 80 before they reach Apache). mod_choke will limit the bandwidth and/or connections per IP that are allowed at once... you can set this to a global, or just for specific file types. mod_dosevasive will watch Apache, and if a certain IP sends too many queries in X seconds, it is blocked for Y seconds. Scrutinizer works in much the same way, but I found is slightly more dependable, as it will remember blocked IPs, and if it has to block them again later (after the block has timed out), the bantime increases with each time. With some tweaking, you can set it to just block port 80 traffic from said IP as well, which would allow innocent people access to mail or SSH or WHM/CPanel.
    A combination of all three should help to bring things down a bit. But nothing short of blocking all the IPs will stop the attack.
    Is there something in the queries that does not change? An offsite referring URL that you could block through mod_rewrite, perhaps? Or maybe an obscure 'browser'?
    If you could post a piece of your log, it would help to see what sort of an attack you are dealing with. 5 or 6 lines of it should be enough to get a good idea.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    They can, because they can and should implement traffic shaping and analysis products that detect DDOS attacks and can block them. Several NOC's provide such a service (just an example, SM/TP do) and it is only in their hands that a tru DDOS can be dealt with. It's too late once the traffic has arrived at the server.

    If your NOC does not offer help with DDOS attacks, then you should move as there are plenty that do and plenty that will help you analyze your network data to block the attacks.
     
  13. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Thanx guys..I guess I have alot of reading to do and things to learn

    ^_^
     
  14. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    What did you tell him to do?
     
  15. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    GOD THEY ARE DOING IT AGAIN..!11!!!11

    This is getting annoying..
    like just out of no where..


    phpBB : Critical Error

    Could not connect to the database

    frikin annoying..
     
  16. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Where can I look at the ip logs? to ban who is doing it and what should I look for?
     
  17. Zaf

    Zaf Well-Known Member

    Joined:
    Aug 22, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    From what I understand out of your response to my pm, its really going to be difficult to help you as you have very limited knowledge of SSH. I suggest you hire someone to have a look at your problem just as Aby suggested earlier. You should even try to contact your service provider / NOC to help you out of this problem.
     
  18. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I can learn...cmon please..


    im only 15...But I have an awsome website with over 200000 hits and 500 registered users... I think I can leanr if you just tell me how to get to the ssh thingy...
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to make sure that 'phpbb thingy' is upgraded with all the latest patches to start with.
     
  20. xghozt

    xghozt Member

    Joined:
    Oct 15, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Shell access is not enabled on your account!
    If you need shell access please contact support.
    ====
    it is updated..
    ====
    how do I enable that?
     
Loading...

Share This Page