The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Good DDoS Protection?

Discussion in 'General Discussion' started by chris8lunch, Jun 14, 2006.

  1. chris8lunch

    chris8lunch Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Can someone tell me where a good free program is?
     
  2. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    mod_evasive is alright. The only problem with it is that it still processes the query, so if an attack were to start, you could be facing some downtime while your server processes the initial rush. It's also only real effective if you are using it along with a script like apf or an iptables firewall (which will block the IP from entering your server, as opposed to blocking it at the httpd request). If you don't firewall the IP, you get to deal with that initial crowd all over again once evasive unblocks the IP. Its also notorious for false positives, so finding that line between too little and too much can be difficult... especially when under pressure of an impending attack (and trust me, I've had more than my fair share of those... luckily the FBI took our reports seriously when we sent them logs showing that 3 of the attacking PCs belonged to the Department of Defense).
    I also use something called the scrutinizer (http://www.solutix.ch/cgi-bin/index.pl). I stumbled across this purely by accident a few years ago when tweaking my Plesk box, and while it's never been out of "beta", and is no longer developed, it's a pretty good defense measure against httpd DDoS attacks. Better than mod_evasive, to be honest... but that's just my own opinion. I've seen it combat a 2000+ bot attack while mod_evasive choked under the queries.
    To be perfectly honest though, the only true way to combat a DDoS is at your upstream. No ammount of defense on your server is going to keep you online if someone has more than 25 bots and the true urge to take you offline. Luckily, datacenters like Ev1 have a multi-layer firewall at their pipe that blocks pretty much all UDP/SYN/ICMP DDoS attacks, as well as a lot of invalid httpd traffic (malformed packets and such). Once a real DDoS attack is launched on you, no programs on your server will be able to deal with it, though, and I won't try to give you false hope by listing off a program that might.
     
  3. chris8lunch

    chris8lunch Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Thanks! Could you please give me links to download the DDoS protection your talking about? I am using Linux..

    Thing is right ow I'm under attack but it does not seem like a big attack, I look under "Apache Status" and I see that a certain IP is hitting a site more then 10 times, I block it, then the server load returns to normal. Currently I have to check back every hour to block the IPs..

    Anyway, please send me the links, thanks!
     
  4. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    mod_evasive: http://www.nuclearelephant.com/projects/mod_evasive/
    Be advised that this has been known to cause problems with Frontpage Extensions... I have not yet experienced them, but then I'm the sort of person who would personally beat someone to death with their keyboard for actually using Frontpage ;)
    http://www.eth0.us/mod_evasive has a quickie tutorial on how to install it. It will likely work with your problem (one or a few people hitting a site over and over). But as I mentioned before, watch out that you don't set it to hard, or you'll start blocking a lot of legit traffic.
     
  5. chris8lunch

    chris8lunch Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    I installed the other thing you talked about, is it better or should I install that instead or both?
     
  6. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I installed both and they do not conflict with one another.
    Make sure that you properly train scrutinizer, if that's what you go with. Simply installing it and starting it up won't be good enough... it won't catch anything, as it hasn't had any data to analyze in advance to know what your server would consider a problem, vs what your server would consider standard traffic.
     
  7. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    DDoS protection

    Well, i have a bad news for you guys... dont exist a DDoS protection Software.
    the only good protection against DDoS is firewalls in your datacenter. so
    is your Datacenter dont have any firewall or DDoS filter .. you cant stop DDoS attacks.
    Because when one kid attack you with Distributed Denial Of Service , Botnets for example...
    your NIC will be saturated and any service will be un accessible ..and dont exist any software to prevent from your box.. all the network.

    i recomend you contract a dedicated server with DDoS protections in the network.

    and advice ... WWW.IPSECURENETWORK.COM

    Good protections against DDoS attacks ... very stable and robust system firewalls..
    for more information send an email to info@ipsecurenetwork.com
     
  8. chris8lunch

    chris8lunch Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Thats un-true your saying there IS and then there ISN'T. DCs provide a level of DDoS protection but using SoftWare can stop DDoS. I am using this and its works great, I acually see it blocking the IPs and the site its attacking!

    Thanks man!!!
     
  9. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Wow. Way to join in on a topic and correct someone by saying the same thing they said a day before. *cough*
     
  10. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6

    Dude, if you try to stop a real DDoS / DoS attack you can do nothing with firewalls based in software because the real problem is in the bandwitdth stream. the attack is in other level and your software only watch.


    imagine this scenary ... one guy try to attack you with a DDoS flood conections. with 3000 botnets. your software can block the incoming packets but the router receiving the packets before your box.. is saturated .. and your box just disappear from the internet .. because the router before . is down.. or your bandiwidth is consume for complete.


    Dude trust me ... with a real attack .. the firewalls by software .. doesnt works.
     
  11. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Actually, you're only half-right. Bandwidth saturating DDoS is only one method... you can bring a site down with 10 bots just as easily by causing the site to essentially eat itself alive. Massive httpd and SQL queries can bring a site down just as easily as saturating the router with traffic, and can be blocked by proper software configuring...
    The problem that chris8lunch posted about was unrelated to bandwidth saturation... it was using the servers own resources to bring it to it's knees, and it is something that can be fought with proper configurations and some simple tools in place.
     
  12. gordypordy

    gordypordy Active Member

    Joined:
    Jan 6, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0

    Well they look just like any bog standard little old hosting company offering standard hosting, like a lot of the people who prolly use these forums.

    You need to go a level above them, which I did, and found that their website resolves to IP:/208.98.28.231
    When you do a check on that, you will find that it resolves to http://www.sharktech.net/

    So THAT is where most peeps here would be looking for if they were wanting to move their SERVER(S) to a more scure datacentre.

    They look purty good and offer a hefty 4500GB bandwidth per month for anyone with a server using a hefty load.

    :eek:
     
    #12 gordypordy, Jul 7, 2006
    Last edited: Jul 7, 2006
  13. Arsenico

    Arsenico Member

    Joined:
    Apr 27, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1

    you are resselling http://www.sharktech.net/ dedicated servers.

    they have a good DDOS protection, but not for the multiple port attacks.

    and you man, will use the IPFW rules for the people.

    i know somethings about you. i know that u are really good with unix. but tell the truth to the people.



    on sharktech you can tell on support ticket that you are getting attack and they will ban the ips address in a sec.
    But you will need a software protection.

    The software protection who is using west domains is:
    Limit connections per ip for one port.
    Limit UDP and ICMP packets size

    IP x.x.x.x can only make X connections on X port. (but if you get attack with a botnet of 5K on bots... they can put you down, so u will need a way to ban ip address. if you have a way to do it.. the attack will be not effective)
     
    #13 Arsenico, Jan 26, 2007
    Last edited: Jan 26, 2007
Loading...

Share This Page