First aid for DDOS attack on port 80

sibinkc

Member
Sep 9, 2006
11
0
151
First aid for DDOS attack on port 80

We can use the following steps to recover our server from a DDOS attack on the port 80. To do this you must have logged into the server as a root user.



Step 1 : Install/Configure APF firewall


a) If there are no firewalls installed on the server please install the same,
you will get the steps and directions from the following site.

http://www.webhostgear.com/61.html


b) Turn on the antidos option (USE_AD) in the APF conf file

# vi /etc/apf/conf.apf

USE_AD = 1




Step 2 : Install/Configure mod_evasive (for Apache 1.3x)

mod_evasive and mod_dosevasive are the same

a) Install mod_evasive

# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive

# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart


b) Also include the following lines in the apache conf file

# vi /usr/local/apache/conf/httpd.conf

-------------------------------------------------
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
-------------------------------------------------


c) Restart the webserver

# /etc/init.d/httpd restart





Step 3 : Install mod_security

Normally we can find/install this module from WHM
WHM >> cPanel >> Addon Modules >> Select "modsecurity " >>save






Step 4 : Blocking IPs

a) Find the IPs those have established a connection with the server

(The following command is the better one to get the IPs, as this will sort the IPs
according to the number of connections).


netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


b) Block them using IPTABLES

# iptables -I INPUT -s 218.92.207.28 -j DROP
# service iptables save
# service iptables restart


c) Block them on APF too

# vi /etc/apf/deny_hosts.rules
<Add the IPs at the end>

# service apf restart





Step 5 : Optimizing the httpd.conf file

# vi /usr/local/apache/conf/httpd.conf

Change the bellow options as follows, original values are shown in the
bracket.

MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)


Also edit the following options too, according to the situation.

Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients





Step 6 : Install/Configure 3rd party DDOS prevention tools

We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.
Steps to install this script are as follows.

# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh

Add the script '/usr/local/ddos/ddos.sh' to cron as follows

# crontab -e

*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1





Step 7 : Suspend websites

Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a while





PERMANENT WAY TO FIX THE DDOS ATTACK

As we all know the softwares have its own limitations for preventing against DDOS attack, we can follow these steps to cure it permanently.

1. Ask the NOC for attaching Cisco Guard on the server for 24 hours
(Normally this service is free from most NOCs)

2. Attach a hardware firewall for the server



Hope this will help you in such a situation :)
 

Tina

Well-Known Member
Jan 27, 2003
63
0
156
Hello and thank you for your contribution.

I am wondering will Install/Configure 3rd party DDOS prevention tools conflict in any way with the CSF add-on by Chirpy (Johnathan) ?
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Viewing the documenation and the conf file for ddos deflate it appears it is designed to work in conjunction of APF.
 

persianwhois

Well-Known Member
Apr 18, 2007
117
0
166
Mahallat
cPanel Access Level
Root Administrator
Best value for evasive and ddos

Hello,
What is best value for ddos.conf:
Code:
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=1800
and mod_evasive:
Code:
DOSBlockingPeriod 1800
Help me please. i touch default value!!!
 

persianwhois

Well-Known Member
Apr 18, 2007
117
0
166
Mahallat
cPanel Access Level
Root Administrator
unable to install anti dos program

Hello,
some file of previous anti dos program removed and i try to install again.
but i am unable to install anti dos.

[[email protected] ~]# wget http://www.inetbase.com/scripts/ddos/install.sh
--08:44:51-- http://www.inetbase.com/scripts/ddos/install.sh
=> `install.sh'
Resolving www.inetbase.com... 205.234.99.83
Connecting to www.inetbase.com|205.234.99.83|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,067 (1.0K) [application/x-sh]

100%[====================================>] 1,067 --.--K/s

08:44:54 (84.80 MB/s) - `install.sh' saved [1067/1067]

[[email protected] ~]# sh install.sh


Please un-install the previous version first

How can un-install the previous version?
 

pacificw

Well-Known Member
Aug 26, 2007
65
0
56
nice info, well documented.

the one sure fire way to make sure you don't end up
with a ddos on port 80 is not to tick off the person
with a botnet. :P
 

pacificw

Well-Known Member
Aug 26, 2007
65
0
56
thanks for the article infopro.. was quite interesting. I couldn't agree more there is NO good reason for a ddos attack. back in the late 80's early 90's I had quite a successful hosting biz. we ran for close to 9yrs straight. until some little punk kids came down the block once and found out that I was a "woman" and they couldn't stand the thoughts of a hosting biz being ran by a woman.. I ended up getting ddos'd so badly, after 9 months and thousands later in high BW bills I had to shut down. Back then, we had no fancy software or deluxe hardware firewalls to stop such attacks. Most times, all we could do was remove the IP or shut the box off completely until it was over with.. usually after a hour or so of them hammering a dead connx they'd quit. But they'd watch and wait for it to come back up and start up all over again. I lost not only what I enjoyed but financially it ruined me. I did end up working with the local FBI unit for months afterwards helping them detect and shut down other botnets.. ironic the one that attacked me was attacked themselves :) and were finally put out of the botnet biz by someone else. oh well, there is justice at times..

sorry for the OT.
 

persianwhois

Well-Known Member
Apr 18, 2007
117
0
166
Mahallat
cPanel Access Level
Root Administrator
Help Me!

Oh my god! our server is down for 3 days. :(
ATtacker f*** me. i install APF, mod_evasive, anti dos and ciscso hardware firewall for block dos attack!
but attacker dos my server and down this.
POP, FTP stop and not start. i think pop and ftp attacked!
Why red section has no IP?!

POP3 traffic (netstat):
1 217.219.17.71
170

FTP trrafic (netstat):
1 0.0.0.0
1 217.219.94.229
1 62.193.19.66
3 82.208.10.21
7 68.115.187.125
8 66.228.119.70
28 67.55.128.183
46



Some top http in one time:
125.137.87.169 with 752 connections
122.47.129.60 with 535 connections
219.254.39.204 with 525 connections
218.39.193.100 with 512 connections
83.28.167.121 with 221 connections
88.212.7.35 with 485 connections
211.211.50.123 with 386 connections
219.248.42.90 with 617 connections


APF block 25 ip per second. attack verey heavy!
Please hel me to resolve this problem/
 
Last edited by a moderator: