The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block this DDoS?

Discussion in 'Security' started by postcd, Nov 12, 2013.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    netstat -p

    shows alot of connections like:
    Code:
    tcp        0      0 45.102.235.65:http          212-185-55-113.static:51048 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          testbed210.hbs.net:cft-0    SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-196.static:56017 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-113.static:50886 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          testbed210.hbs.net:1783     SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-206.static:36746 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-225.static:35017 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34768 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-89.static.:36886 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          testbed210.hbs.net:ncpm-pm  SYN_RECV    -
    tcp        0      0 45.102.235.65:http          testbed210.hb:powerguardian SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-67-58.static.:56714 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34007 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34769 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34710 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-196.static:55674 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-196.static:56463 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          server1.mrabyte2.com:54092  SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-67-58.static.:55961 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-206.static:60098 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-89.static.:36253 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-67-58.static.:56686 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-29.static.:59938 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-29.static.:59745 SYN_RECV    -
    tcp        0      0 45.102.235.65:http          212-185-55-225.static:35181 SYN_RECV    -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61777 ESTABLISHED -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61778 ESTABLISHED -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61771 ESTABLISHED -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61770 TIME_WAIT   -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61773 ESTABLISHED -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61772 ESTABLISHED -
    tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61765 TIME_WAIT   -
    tcp      199      0 ::ffff:45.102.235.65:http   212-185-55-113.static:55675 CLOSE_WAIT  -
    tcp      141      0 ::ffff:45.102.235.65:http   212-185-55-113.static:56443 CLOSE_WAIT  -
    tcp      206      0 ::ffff:45.102.235.65:http   212-185-55-113.static:56435 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:38685 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:43103 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-113.static:49527 ESTABLISHED -
    tcp        0   3357 ::ffff:45.102.235.65:http   212-185-67-58.static.:33825 LAST_ACK    -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:36879 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-113.static:54629 ESTABLISHED -
    tcp      190      0 ::ffff:45.102.235.65:http   212-185-55-225.static:41481 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:36148 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37174 ESTABLISHED -
    tcp        0   3357 ::ffff:45.102.235.65:http   212-185-55-29.static.:37430 LAST_ACK    -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:41079 ESTABLISHED -
    tcp      203      0 ::ffff:45.102.235.65:http   212-185-55-225.static:40240 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:33316 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:35873 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:59938 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34056 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:35880 ESTABLISHED -
    tcp      177      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34060 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-113.static:56123 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:38487 ESTABLISHED -
    tcp      171      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:44562 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37200 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:36703 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:59513 ESTABLISHED -
    tcp      214      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:59743 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:34399 ESTABLISHED -
    tcp      196      0 ::ffff:45.102.235.65:http   212-185-55-225.static:43100 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:38214 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:59239 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:42761 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:60525 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37195 ESTABLISHED -
    tcp      193      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:43825 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37748 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37495 ESTABLISHED -
    tcp      169      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:44595 CLOSE_WAIT  -
    tcp      172      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:36214 CLOSE_WAIT  -
    tcp      175      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:36663 CLOSE_WAIT  -
    tcp      166      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:44086 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34651 ESTABLISHED -
    tcp      183      0 ::ffff:45.102.235.65:http   212-185-55-225.static:42110 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34650 ESTABLISHED -
    tcp      211      0 ::ffff:45.102.235.65:http   212-185-55-225.static:39549 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:58975 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37496 ESTABLISHED -
    tcp      173      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:36219 CLOSE_WAIT  -
    tcp      153      0 ::ffff:45.102.235.65:http   212-185-55-113.static:47894 CLOSE_WAIT  -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:34681 ESTABLISHED -
    tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:39012 ESTABLISHED -
    tcp      219      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:59745 CLOSE_WAIT  -
    
    Please what can be done to block it? I did:

    iptables -A INPUT -s 212.185.55.IPHERE -j DROP
    iptables -A INPUT -s 212.185.55.0/24 -j DROP
    iptables-save

    restarted server, but it appears not to fix the issue, connections still there, server overloading..
     
  2. ravi9

    ravi9 Well-Known Member

    Joined:
    Oct 31, 2013
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Website Owner
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,745
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    DDOS attacks can be difficult to mitigate with standard firewalls such as CSF. You may want to consult with your data center to see if they offer any mitigation services or if there is anything they can do to assist you.

    Thank you.
     
  4. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    thx, you did not answered my question. you just answered thread title. my question is rather iptables related.

    PS: instead of iptables -A INPUT -s can be good to do iptables -I INPUT -s
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I know this doesn't answer your iptables question, however, since those are all HTTP connections have you checked your apache access logs? You might be able to find what they're doing and fix the "real" issue as opposed to just blocking IP addresses. I'd start with an httpd fullstatus to see what domain is being hit, and check that domains access logs. You might acutally have something that's easy to deal with here, but a netstat just isn't enough info to know what needs to be mitigated.
     
Loading...

Share This Page