Help with DDoS attack

[javii]

Hi!

I'm suffering a DDoS attack, and really need help to solve it.

Server Status

Apache Server Status for xxxxxxxxxxxx

Server Version: Apache/2.2.15 (Unix) DAV/2 mod_fcgid/2.3.7 mod_python/3.3.1 Python/2.6.6 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_perl/2.0.4 Perl/v5.10.1
Server Built: May 13 2013 22:11:16
Current Time: Thursday, 26-Sep-2013 18:22:59 CEST
Restart Time: Thursday, 26-Sep-2013 18:06:35 CEST
Parent Server Generation: 0
Server uptime: 16 minutes 24 seconds
Total accesses: 1937 - Total Traffic: 14.6 MB
CPU Usage: u.56 s.07 cu0 cs0 - .064% CPU load
1.97 requests/sec - 15.2 kB/second - 7.7 kB/request
136 requests currently being processed, 7 idle workers
RRRR_RRCCCRCRRRRCRRRRCRCC_RCCRCRRCRRRRCRRRCRRRRRRRRRRRRRRRRRRRRR
CRRRRRRRRRRRRRR_RRCRRRRRRKRRRRRRRRRRRCRCR_RRRRRKCRR..RR_CC.C_RR.
RRRRRR....R.R.R..R.R..RR_..RR.W...R.......R.....................
................................................................
................................................................
................................................................
................................................................
....................................................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-0 2268 0/1/7 R 0.00 1 644 0.0 0.00 0.02 ? ? ..reading..
1-0 2060 0/4/6 R 0.01 0 676 0.0 0.05 0.05 ? ? ..reading..
2-0 3132 0/0/17 R 0.00 7 0 0.0 0.00 0.50 ? ? ..reading..
3-0 3048 0/0/13 R 0.00 6 0 0.0 0.00 0.24 ? ? ..reading..
4-0 3249 0/0/16 _ 0.01 0 0 0.0 0.00 0.27 127.0.0.1 server OPTIONS * HTTP/1.0
5-0 3086 0/0/5 R 0.01 5 0 0.0 0.00 0.06 ? ? ..reading..
6-0 3159 0/0/15 R 0.01 7 0 0.0 0.00 0.09 ? ? ..reading..
7-0 3051 0/0/42 C 0.00 1 0 0.0 0.00 0.94 127.0.0.1 server OPTIONS * HTTP/1.0
8-0 2827 0/2/12 C 0.00 1 90 0.0 0.01 0.18 184.73.60.152 vhost1 GET / HTTP/1.0
9-0 2440 0/1/15 C 0.00 1 123 0.0 0.00 0.06 46.118.159.187 vhost2 POST /administrator/index.php HTTP/1.1
10-0 3052 0/5/14 R 0.01 9 906 0.0 0.04 0.11 ? ? ..reading..
11-0 3252 0/1/13 C 0.00 0 867 0.0 0.03 0.28 157.55.33.16 vhost2 GET /index.php?option=com_kunena&Itemid=79&func=view&catid=15&i
12-0 3065 0/1/8 R 0.00 8 4 0.0 0.00 0.03 ? ? ..reading..
13-0 3160 0/0/3 R 0.00 6 0 0.0 0.00 0.00 ? ? ..reading..
14-0 2875 0/1/14 R 0.00 2 2 0.0 0.00 0.12 ? ? ..reading..
15-0 3161 0/0/60 R 0.00 6 0 0.0 0.00 0.84 ? ? ..reading..
16-0 2595 1/2/7 C 0.00 0 0 0.0 0.00 0.08 127.0.0.1 server OPTIONS * HTTP/1.0
17-0 977 0/10/10 R 0.00 9 1 0.0 0.12 0.12 ? ? ..reading..
18-0 1560 0/7/9 R 0.02 7 123 0.0 0.05 0.05 ? ? ..reading..
19-0 2876 0/0/23 R 0.00 7 0 0.0 0.00 0.26 ? ? ..reading..
20-0 3253 0/2/9 R 0.00 2 282 0.0 0.03 0.04 ? ? ..reading..

As you can see there is a lot of "..reading.." connections

Tcpdump:

18:27:05.971692 IP 82.71.43.114.45709 > my-ip.80: Flags [.], ack 3500101088, win 65535, length 0
18:27:05.986529 IP 78.98.43.167.39886 > my-ip.80: Flags , seq 946751078, win 65535, options [mss 1402,nop,nop,sackOK], length 0
18:27:05.986555 IP my-ip.80 > 78.98.43.167.39886: Flags [S.], seq 3018772423, ack 946751079, win 14600, options [mss 1460], length 0
18:27:06.009461 IP 41.223.161.211.6886 > my-ip.80: Flags , seq 1013549710, win 8192, options [mss 1392,nop,wscale 2,nop,nop,sackOK], length 0
18:27:06.009488 IP my-ip.80 > 41.223.161.211.6886: Flags [S.], seq 1167340159, ack 1013549711, win 14600, options [mss 1460], length 0
18:27:06.022117 IP my-ip.80 > 78.171.186.240.1369: Flags [S.], seq 167210044, ack 3801823539, win 14600, options [mss 1460], length 0
18:27:06.022126 IP my-ip.80 > 1.187.190.80.3856: Flags [S.], seq 3630532804, ack 2003063778, win 14600, options [mss 1460], length 0
18:27:06.022130 IP my-ip.80 > 201.16.178.157.29427: Flags [S.], seq 287636603, ack 1308452730, win 14600, options [mss 1460], length 0
18:27:06.025784 IP my-ip.80 > 200.25.218.61.50810: Flags [F.], seq 2434628115, ack 2234953787, win 14600, length 0
18:27:06.030378 IP my-ip.80 > 50.101.138.77.45636: Flags [F.], seq 456110711, ack 2331953290, win 14600, length 0
18:27:06.031979 IP my-ip.80 > 177.203.26.202.49912: Flags [F.], seq 311803157, ack 1291913055, win 14600, length 0
18:27:06.032342 IP my-ip.80 > 121.54.13.53.50056: Flags [F.], seq 422689070, ack 1721847099, win 14600, length 0
18:27:06.043340 IP my-ip.80 > 27.255.2.166.51299: Flags [F.], seq 2340335837, ack 3305454671, win 14600, length 0
18:27:06.065408 IP 78.98.43.167.39886 > my-ip.80: Flags [.], ack 1, win 65535, length 0
18:27:06.067190 IP 78.98.43.167.39886 > my-ip.80: Flags [R.], seq 1, ack 1, win 0, length 0
18:27:06.067402 IP 178.61.36.62.57967 > my-ip.80: Flags , seq 776543266, win 65535, options [mss 1460,nop,wscale 0,sackOK,TS val 1856585239 ecr 0], length 0
18:27:06.067427 IP my-ip.80 > 178.61.36.62.57967: Flags [S.], seq 2857755694, ack 776543267, win 14480, options [mss 1460,nop,nop,TS val 753303160 ecr 1856585239], length 0
18:27:06.090509 IP 111.93.103.100.45870 > my-ip.80: Flags , seq 1272535346, win 65535, options [mss 1460,nop,nop,sackOK], length 0
18:27:06.090535 IP my-ip.80 > 111.93.103.100.45870: Flags [S.], seq 4030994986, ack 1272535347, win 14600, options [mss 1460], length 0
18:27:06.094049 IP 200.106.167.16.52271 > my-ip.80: Flags , seq 1295736049, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:27:06.094068 IP my-ip.80 > 200.106.167.16.52271: Flags [S.], seq 582326863, ack 1295736050, win 14600, options [mss 1460], length 0
18:27:06.101501 IP 201.145.235.238.60494 > my-ip2.80: Flags [.], ack 1967064337, win 20160, options [nop,nop,TS val 6675513 ecr 753302649], length 0
18:27:06.101520 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 7201:8641, ack 0, win 15246, options [nop,nop,TS val 753303194 ecr 6675513], length 1440
18:27:06.101524 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 8641:10081, ack 0, win 15246, options [nop,nop,TS val 753303194 ecr 6675513], length 1440
18:27:06.101528 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 10081:11521, ack 0, win 15246, options [nop,nop,TS val 753303194 ecr 6675513], length 1440
18:27:06.101531 IP my-ip2.80 > 201.145.235.238.60494: Flags [P.], seq 11521:12961, ack 0, win 15246, options [nop,nop,TS val 753303194 ecr 6675513], length 1440
18:27:06.101535 IP my-ip2.80 > 201.145.235.238.60494: Flags [P.], seq 12961:14401, ack 0, win 15246, options [nop,nop,TS val 753303194 ecr 6675513], length 1440
18:27:06.102034 IP 201.145.235.238.60494 > my-ip2.80: Flags [.], ack 1441, win 23040, options [nop,nop,TS val 6675514 ecr 753302649], length 0
18:27:06.102455 IP 201.145.235.238.60494 > my-ip2.80: Flags [.], ack 2881, win 25920, options [nop,nop,TS val 6675515 ecr 753302649], length 0
18:27:06.102545 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 14401:15841, ack 0, win 15246, options [nop,nop,TS val 753303195 ecr 6675515], length 1440
18:27:06.102576 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 15841:17281, ack 0, win 15246, options [nop,nop,TS val 753303195 ecr 6675515], length 1440
18:27:06.102587 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 17281:18721, ack 0, win 15246, options [nop,nop,TS val 753303195 ecr 6675515], length 1440
18:27:06.102595 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 18721:20161, ack 0, win 15246, options [nop,nop,TS val 753303195 ecr 6675515], length 1440
18:27:06.103424 IP 201.145.235.238.60494 > my-ip2.80: Flags [.], ack 4321, win 28800, options [nop,nop,TS val 6675516 ecr 753302649], length 0
18:27:06.103440 IP my-ip2.80 > 201.145.235.238.60494: Flags [.], seq 20161:21601, ack 0, win 15246, options [nop,nop,TS val 753303196 ecr 6675516], length 1440
18:27:06.103444 IP my-ip2.80 > 201.145.235.238.60494: Flags [P.], seq 21601:22679, ack 0, win 15246, options [nop,nop,TS val 753303196 ecr 6675516], length 1078
18:27:06.105204 IP my-ip.80 > 182.189.153.33.51187: Flags [F.], seq 3951805181, ack 1223262762, win 14600, length 0
18:27:06.107999 IP 201.145.235.238.60494 > my-ip2.80: Flags [.], ack 5761, win 31680, options [nop,nop,TS val 6675516 ecr 753302649], length 0
18:27:06.109364 IP 201.145.235.238.60494 > my-ip2.80: Flags [.], ack 7201, win 34560, options [nop,nop,TS val 6675517 ecr 753302649], length 0
18:27:06.127115 IP my-ip.80 > 120.61.194.13.11375: Flags [F.], seq 1711932948, ack 1335329830, win 14600, length 0
18:27:06.140963 IP 181.65.116.210.26389 > my-ip.80: Flags [.], ack 2566512674, win 65535, length 0
18:27:06.167147 IP 177.203.26.202.49912 > my-ip.80: Flags [F.], seq 683, ack 0, win 17520, length 0
18:27:06.167170 IP my-ip.80 > 177.203.26.202.49912: Flags [.], ack 1, win 14600, length 0
18:27:06.184068 IP 50.101.138.77.45636 > my-ip.80: Flags [.], ack 1, win 17280, length 0
18:27:06.198697 IP 2.184.61.223.2841 > my-ip.80: Flags , seq 3015040955, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0
18:27:06.198726 IP my-ip.80 > 2.184.61.223.2841: Flags [S.], seq 3246841610, ack 3015040956, win 14600, options [mss 1460], length 0
18:27:06.220984 IP 180.214.232.78.28235 > my-ip.80: Flags [.], ack 3674866480, win 17520, length 0
18:27:06.223091 IP my-ip.80 > 2.176.216.84.3034: Flags [S.], seq 4139891721, ack 2220505543, win 14600, options [mss 1460], length 0
18:27:06.223099 IP my-ip.80 > 113.210.138.186.64372: Flags [S.], seq 28849169, ack 568019474, win 14600, options [mss 1460], length 0
18:27:06.223104 IP my-ip.80 > 46.248.49.27.1862: Flags [S.], seq 582926718, ack 2058981683, win 14600, options [mss 1460], length 0
18:27:06.236013 IP 78.171.186.240.1427 > my-ip.80: Flags [.], ack 2814938146, win 65340, length 0
18:27:06.236257 IP 178.61.36.62.57967 > my-ip.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 1856585409 ecr 753303160], length 0
18:27:06.243750 IP 200.25.218.61.50810 > my-ip.80: Flags [F.], seq 711, ack 1, win 65535, length 0
18:27:06.243788 IP my-ip.80 > 200.25.218.61.50810: Flags [.], ack 1, win 14600, length 0
18:27:06.244289 IP 200.25.218.61.50810 > my-ip.80: Flags [.], ack 1, win 65535, length 0
18:27:06.247890 IP 190.104.11.249.61438 > my-ip.80: Flags [.], ack 3985940550, win 17520, length 0
18:27:06.249147 IP 41.223.161.211.6886 > my-ip.80: Flags [.], ack 1, win 16704, length 0
18:27:06.252100 IP 180.214.232.78.28235 > my-ip.80: Flags [R], seq 3454827112, win 17520, length 0
18:27:06.262074 IP 2.100.233.41.26382 > my-ip.80: Flags [R.], seq 2482622651, ack 1066014223, win 0, length 0
18:27:06.280428 IP 111.93.103.100.45870 > my-ip.80: Flags [.], ack 1, win 65535, length 0
18:27:06.295040 IP 120.61.194.13.11375 > my-ip.80: Flags [.], ack 1, win 17680, length 0

netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

123 ESTABLISHED
96 FIN_WAIT1
611 FIN_WAIT2
24 LISTEN
75 SYN_RECV
62 TIME_WAIT

[root@pixemia /]# cat /proc/sys/net/ipv4/tcp_syncookies
1
# cat /proc/sys/net/ipv4/tcp_fin_timeout
30
# cat /proc/sys/net/ipv4/tcp_window_scaling
0
# cat /proc/sys/net/ipv4/tcp_sack
0

Any idea on how to block it? Any help would apreciated

 

[cPanelMichael]

Hello

Are you using any third-party firewall applications such as CSF to provide a general level of protection? Also, you may want to consult with your data center if the attack is severe to see if they can mitigate the attack with a hardware firewall.

Thank you.

 

[HostingH]

Hi,

In csf.conf enable portflood and synflood as per the need. If csf can not help then please go with DC (HardwareFirewall)

Set the values as follows:
------------------------
SYNFLOOD = "1"
SYNFLOOD_RATE = "10/s"
SYNFLOOD_BURST = "15"
------------------------
PORTFLOOD = "80;tcp;300;5"
------------------------

Thanks.

 

[24x7server]

Hello,

Also you can install (D)DoS Deflate - deflate.medialayer.com on your server with the iptables for the DDOS