The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DOS Attack- Something new !

Discussion in 'General Discussion' started by linux-image, Nov 3, 2005.

  1. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    have anyone seen such an access_log ?
    ===========================
    86.42.13.148 - - [03/Nov/2005:16:29:45 +0200] "o9rKsXTyX9TJ0UxXoO8HvB5CISQCi" 501 -
    200.114.234.5 - - [03/Nov/2005:16:29:45 +0200] "fnEMvp27krB4RUYDHMsW4zq1sYiGvJKYrqrtyqHfutLiRojTld4JP5QXcwEv9aj7L01oR7UIN25icAiy6jbtud1gafsUQUAgNw1ORdsoj0fOlMudHrqcSW" 501 -
    68.7.111.176 - - [03/Nov/2005:16:29:45 +0200] "ss0ASZf1k2yfObzz2GOZJppJyCepdQJiDq1Rnb2W1LMUhWGpZ7JYzsykRekzaEShK6Wv7SzZGNMGkyddpM3J09EzevcLSUEWVxLfXhly8DJVssHr7V3yh6st7ceRwimrtWY0chPS01wdBFxIQVtkXtPcWMcS5" 501 -
    71.248.17.73 - - [03/Nov/2005:16:29:45 +0200] "-" 408 -
    152.9.102.111 - - [03/Nov/2005:16:29:45 +0200] "Cz1nqbUO2Nj7DxX3wur5" 501 -
    69.1.47.239 - - [03/Nov/2005:16:29:46 +0200] "-" 408 -
    213.113.217.79 - - [03/Nov/2005:16:29:46 +0200] "IvkbOsetUuNC6ImPzFGmwmiJGssMr6UtyiUOVY5VXVhHUQ3PmL2Ry4CDMEzDNCiaowp4UQYF3elcwT4mdvaCmFEwEZpH3Av5bguhSfWO6FAIP" 501 -
    210.99.191.122 - - [03/Nov/2005:16:29:47 +0200] "-" 408 -
    209.89.250.72 - - [03/Nov/2005:16:29:47 +0200] "-" 408 -
    85.102.219.142 - - [03/Nov/2005:16:29:47 +0200] "7aUcy2RWF1q4CPe09xUr5br5Ww668jo9UnwI6sbc1zZrv1RvLE4AhestjFYB8QM3e1rIG1CMTwTr1cikUkiIAoU9PoEIbutjx7MqQ" 501 -
    218.80.15.46 - - [03/Nov/2005:16:29:48 +0200] "W96SucpQprB9zMrPH2ibjQT2FN413rN1jY0MS2PmD30haRO6K0wRw4U9fxPjtNajmcgOUGys8kR77S4Ar8s8TnD8GXaB6TOEMxxZGk" 501 -
    216.130.117.83 - - [03/Nov/2005:16:29:48 +0200] "REh8cludIgkqBCHqErCTjSx0O0i6XxV6G3cgtwaCr9GOxoVLCcJCwgI8bEp4pMB6oL8kDjzIJVlzMHDJSzwLdAtCBuqU95N8Vez2QkNJ7kZcBTXavu3DTTk0x3tpPT4VZIc34qiXWtIFk3xTh2lJUhke5J7N5EXJPkLyElayL8RyWf6whzobtuy8JgXjSv8uPi00G8Q" 501 -
    61.127.134.254 - - [03/Nov/2005:16:29:48 +0200] "FqiLCxMIkocrxtlzH5xJK1phgz4ub4hQYhVWIQnVpnvhZLciaRFPyLEW6ClBFa7FLXkWUh5aWkL1vkW7c06HITkNJCYsv" 501 -
    24.239.111.130 - - [03/Nov/2005:16:29:49 +0200] "-" 408 -
    211.89.129.9 - - [03/Nov/2005:16:29:49 +0200] "bOBl" 501 -
    221.184.214.139 - - [03/Nov/2005:16:29:50 +0200] "1I9Zsw3ZyQZNHn2gKOv5Bx3R45YwoDgyows06NtvAxDFcKLFfE6Zj592Ee" 501 -
    86.141.27.228 - - [03/Nov/2005:16:29:50 +0200] "-" 408 -
    84.69.23.192 - - [03/Nov/2005:16:29:50 +0200] "-" 408 -
    172.188.244.19 - - [03/Nov/2005:16:29:51 +0200] "-" 408 -
    219.17.190.38 - - [03/Nov/2005:16:29:51 +0200] "-" 408 -
    60.4.16.90 - - [03/Nov/2005:16:29:51 +0200] "5HjP1jj8Q2wnn1ce1RLuw3pGYEPrmKhFFH3ui1J0O25i5t9j6HIrkibYIshQ4ZZ1Mf2qkw4I4E6KKp0mxTFvqlB" 501 -
    218.79.144.10 - - [03/Nov/2005:16:29:51 +0200] "m32pJUNd7JUJxiEZSX9" 501 -
    ===============================================

    apache is flooded, mod_dos is installed, but of no help.

    mod_sec cant help it since it is all irregular characters.

    access is directly to the server and is not via a domain.

    error_logs at the same time has:
    ===============================================
    [Thu Nov 3 16:32:57 2005] [error] [client 200.203.9.146] Invalid method in request GGmq83kdg3wUWuuKg
    [Thu Nov 3 16:32:57 2005] [error] [client 24.228.19.157] Invalid method in request M0l3ZCerP0EGnk2Ciy7jezhZOXWOZemoSe9SMbsk0bzepAky0bh7UA0HSSUE4yFUlUIdkO7PNtnwgN7OPqL8ydQxq0Vc6erZ1H40P
    [Thu Nov 3 16:32:59 2005] [error] [client 61.26.49.190] Invalid method in request JwAfPb94pWgODqO9DcQPYdfKpdXVzyOAJzLV5pzFT0rhvdJpxKki9MA8aXeihbzRZnIJBmN93G06dTqN7j3MrvH02APoDhVv4mk1cc3wNtLSdLCtenSzBJAl3WmOBQzEZGxIvoIr9yippo6YL91hgErVo3L7OUMaBMeSO2ikG7RHC22OcS14PPlWUTTaQkNjiNI8PG8brWbyT0XeyhgSe8TQ71PWObLKNAGNPC3lK8IWR0W99SyAdZt2R3rUMzEFxMiy0l
    [Thu Nov 3 16:32:59 2005] [error] [client 70.27.168.126] Invalid method in request ZVV4GlUYtRCS7J
    [Thu Nov 3 16:32:59 2005] [error] [client 200.82.212.127] Invalid method in request 4FnwNofXOAbkbkMLMuJ0aD1CjpuSwqXkfgtxr4XnLwCQIbSVa7kJ843Krs13cDcMkga3KTwtbxulCepC42UsUjYVNffzBIgKhHzwXKsLirlLQ3BdfX8lI1Zj
    [Thu Nov 3 16:33:00 2005] [error] [client 201.135.173.121] Invalid method in request ncYzEG0OqEVip0HRNLT7WCIGFSMf2YlIT1vp4uZI
    [Thu Nov 3 16:33:00 2005] [error] [client 219.139.234.37] Invalid method in request G9EKmdIEwWBJTHGXQBGR1iudygKjSf8VG3sFMuvn5Wy6t9Rk5s3yAVcjXtVvGPFeNYOh4eKCKJl215rSg7r911Y3yxC2iRub58CY4BNzzwwEi3JA79xWNGxZdm2j95GlF4INUlY5zZS
    [Thu Nov 3 16:33:02 2005] [error] [client 69.244.107.123] Invalid method in request JY7xd8WFGrA12NMmP4ZSxthcppO13qv
    ===========================================

    Inference: DOS Attack.
    Method: Yet to be identified

    Anyone to share some light on this matter ?
     
  2. Liberty

    Liberty Member

    Joined:
    Nov 1, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    DoS = Denial of Service

    This means that someone is trying to send mass packets with bytes in them to your server, which will get a high load. For example: You send a ping for CMD (Windows) to your router, that router will be your server, but the amout of bytes send is much more and much more powerfull then a ping. The only thing you could do is install some firewalls, and only open the service ports for your server.

    Good luck
     
  3. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    ty Liberty.

    firewall is installed and because the attack is on http port 80,i cant block it with a firewall.

    as mentioned the anti-dos modules are also installed with apache as well as the one that comes with the firewall.

    the entire issue looks more like a syn flood and i would request anyone who has a possible solution to shower it up here.
     
  4. Liberty

    Liberty Member

    Joined:
    Nov 1, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    no problem, be sure to block the IP's who make more then 5 connection per 5 seconds.
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    shorewall wil help you (see my signature)
     
  6. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Hello Radio_Head

    Which rules best for cpanel+whm+vBulletin forum ? Include 2-3 rules ?

    Thanks
     
  7. bonnmac

    bonnmac Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    I seem to be having a similar problem, but netstat is showing the connections being made to a domain not even on my server. Any ideas how to stop this one? dosevasive already has blocked about 5000 ips, as has apf
     
  8. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If none of the widely used/common firewalls, or security patches work for you, then you need to talk to your DC and ask them to install "hardware firewall" such as: SnapGear. Hardware firewall is a little pricy, but that's your best option.
     
  9. bonnmac

    bonnmac Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    The dc I use does have a hardware firewall, and they can block traffic to the ip which is being hammered, However, my concern is how are they hammering a domain that doesn't exsist on my server?
     
  10. Zaf

    Zaf Well-Known Member

    Joined:
    Aug 22, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Did you finally get a solution to this problem?

    bonnmac: Watch out! Having 5000 ips in your firewall is surely going to make things unstable for your box and you might not be able to even reboot it as per what I have read in other threads on this forum before.
     
  11. hmos11

    hmos11 Member

    Joined:
    Apr 30, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I had same problem exactly about 2 weeks ago.

    I installed all of script for blocking IP with more connection that exists in this planet, and I blocked about 28000 IPs.
    I'm also activated DoS feature of APF, SYN flood, optimize kernel and apache, but I didn't get any result.


    Finally I changed my datacenter to another one that had AntiDoS hardware, and they block the bad traffic.
     
  12. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    If they're attacking a domain (that doesnt even exist) on your server, it must be going through named.

    May I suggest created a Named record by copying another to /var/named/fakedomain.com.db and pointing all records to 127.0.0.1?

    After, run rndc reload, and hopefully named will answer back to the computers to attack / request their own machines. This is what I do when we get someone attacking a very small domain, etc.

    Just a thought..

    Also, if you can see a pattern in the randomness aka 'Rj' 'Di' etc etc I didnt look at the requests, you can mod_security them out.

    Also, forcing stricer methods (requiring user agents etc) might block these attacks.

    I guess you can just run Dosevasive in a very strict mode, then send your /etc/apf/deny_hosts.list to the data center to block manually. Slowly but surely, it will block out their botnet.
     
  13. vishwas

    vishwas Well-Known Member

    Joined:
    Feb 9, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Front of PC
    I had same problem exactly some days back,

    But the thing is that the attack is not from single IP its using random IP. I already installed APF on server still no use.

    :S
     
Loading...

Share This Page