How to block this DDoS?

postcd

postcd

Well-Known Member
Oct 22, 2010
721
21
68
Hello,

netstat -p

shows alot of connections like:
Code: 
tcp        0      0 45.102.235.65:http          212-185-55-113.static:51048 SYN_RECV    -
tcp        0      0 45.102.235.65:http          testbed210.hbs.net:cft-0    SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-196.static:56017 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-113.static:50886 SYN_RECV    -
tcp        0      0 45.102.235.65:http          testbed210.hbs.net:1783     SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-206.static:36746 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-225.static:35017 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34768 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-89.static.:36886 SYN_RECV    -
tcp        0      0 45.102.235.65:http          testbed210.hbs.net:ncpm-pm  SYN_RECV    -
tcp        0      0 45.102.235.65:http          testbed210.hb:powerguardian SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-67-58.static.:56714 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34007 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34769 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-10.static.:34710 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-196.static:55674 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-196.static:56463 SYN_RECV    -
tcp        0      0 45.102.235.65:http          server1.mrabyte2.com:54092  SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-67-58.static.:55961 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-206.static:60098 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-89.static.:36253 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-67-58.static.:56686 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-29.static.:59938 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-29.static.:59745 SYN_RECV    -
tcp        0      0 45.102.235.65:http          212-185-55-225.static:35181 SYN_RECV    -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61777 ESTABLISHED -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61778 ESTABLISHED -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61771 ESTABLISHED -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61770 TIME_WAIT   -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61773 ESTABLISHED -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61772 ESTABLISHED -
tcp        0      0 45.102.235.65:interwise     host-197.35.29.77.ted:61765 TIME_WAIT   -
tcp      199      0 ::ffff:45.102.235.65:http   212-185-55-113.static:55675 CLOSE_WAIT  -
tcp      141      0 ::ffff:45.102.235.65:http   212-185-55-113.static:56443 CLOSE_WAIT  -
tcp      206      0 ::ffff:45.102.235.65:http   212-185-55-113.static:56435 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:38685 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:43103 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-113.static:49527 ESTABLISHED -
tcp        0   3357 ::ffff:45.102.235.65:http   212-185-67-58.static.:33825 LAST_ACK    -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:36879 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-113.static:54629 ESTABLISHED -
tcp      190      0 ::ffff:45.102.235.65:http   212-185-55-225.static:41481 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:36148 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37174 ESTABLISHED -
tcp        0   3357 ::ffff:45.102.235.65:http   212-185-55-29.static.:37430 LAST_ACK    -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:41079 ESTABLISHED -
tcp      203      0 ::ffff:45.102.235.65:http   212-185-55-225.static:40240 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:33316 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:35873 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:59938 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34056 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:35880 ESTABLISHED -
tcp      177      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34060 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-113.static:56123 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:38487 ESTABLISHED -
tcp      171      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:44562 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37200 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:36703 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:59513 ESTABLISHED -
tcp      214      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:59743 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:34399 ESTABLISHED -
tcp      196      0 ::ffff:45.102.235.65:http   212-185-55-225.static:43100 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:38214 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:59239 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:42761 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:60525 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37195 ESTABLISHED -
tcp      193      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:43825 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37748 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37495 ESTABLISHED -
tcp      169      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:44595 CLOSE_WAIT  -
tcp      172      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:36214 CLOSE_WAIT  -
tcp      175      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:36663 CLOSE_WAIT  -
tcp      166      0 ::ffff:45.102.235.65:http   212-185-55-89.static.:44086 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34651 ESTABLISHED -
tcp      183      0 ::ffff:45.102.235.65:http   212-185-55-225.static:42110 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:34650 ESTABLISHED -
tcp      211      0 ::ffff:45.102.235.65:http   212-185-55-225.static:39549 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-67-58.static.:58975 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:37496 ESTABLISHED -
tcp      173      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:36219 CLOSE_WAIT  -
tcp      153      0 ::ffff:45.102.235.65:http   212-185-55-113.static:47894 CLOSE_WAIT  -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:34681 ESTABLISHED -
tcp        0      0 ::ffff:45.102.235.65:http   212-185-55-225.static:39012 ESTABLISHED -
tcp      219      0 ::ffff:45.102.235.65:http   212-185-55-29.static.:59745 CLOSE_WAIT  -
Please what can be done to block it? I did:

iptables -A INPUT -s 212.185.55.IPHERE -j DROP
iptables -A INPUT -s 212.185.55.0/24 -j DROP
iptables-save

restarted server, but it appears not to fix the issue, connections still there, server overloading..
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello :)

DDOS attacks can be difficult to mitigate with standard firewalls such as CSF. You may want to consult with your data center to see if they offer any mitigation services or if there is anything they can do to assist you.

Thank you.
 
postcd

postcd

Well-Known Member
Oct 22, 2010
721
21
68
thx, you did not answered my question. you just answered thread title. my question is rather iptables related.

PS: instead of iptables -A INPUT -s can be good to do iptables -I INPUT -s
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I know this doesn't answer your iptables question, however, since those are all HTTP connections have you checked your apache access logs? You might be able to find what they're doing and fix the "real" issue as opposed to just blocking IP addresses. I'd start with an httpd fullstatus to see what domain is being hit, and check that domains access logs. You might acutally have something that's easy to deal with here, but a netstat just isn't enough info to know what needs to be mitigated.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
F cPHulk - Blacklisted IPs Still Appear In The One-Day Blocks History Report Security 2
WebHostPro Any ideas about blocking a 404 page DDOS attack? Security 2
M Block ddos Security 3
B Is this a DDos attack ? Can or i have to block it ? Security 5
Z Block DDOS attack on a particular file? Security 1
Similar threads
cPHulk - Blacklisted IPs Still Appear In The One-Day Blocks History Report
Any ideas about blocking a 404 page DDOS attack?
Block ddos
Is this a DDos attack ? Can or i have to block it ?
Block DDOS attack on a particular file?
Top Bottom