The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to check which domain in my server is being DDOS'ed?

Discussion in 'Security' started by rockon007, Feb 26, 2010.

  1. rockon007

    rockon007 Member

    Joined:
    Nov 28, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hello,
    My VPS Server is continuously being DDOS d.
    Huge no. of connections from multiple ip's is sometimes causing apache failure.
    Even CSF is sometimes failing to block it.

    I think its an attack on one of my hosted accounts.

    My question is -
    How do I know which domain in my server is getting the attacks?

    Thanks in advance.
     
  2. WebScHoLaR

    WebScHoLaR Well-Known Member

    Joined:
    Dec 14, 2005
    Messages:
    511
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Planet Earth
    This is what I use mostly:

    To see what Ips are connecting to server and how many connections exist from each IP:

    netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    To see how many connections each IP on the server is receiving:

    netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n

    Get the count of current Active connections to Apache:

    netstat -apn | grep :80 | wc -l

    Get Apache status update from command line to see which domain is receiving maximum hits:

    lynx http://localhost/whm-server-status
     
    danielpmc likes this.
  3. rockon007

    rockon007 Member

    Joined:
    Nov 28, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Last command is not working.
    I have found through the other 2 commands that sometimes conections are very large..
    A few ip's even have 700 to 1000 connections per ip.

    I am still looking for a way to find the domain or account on my server which is getting DDOS 'ed.

    Please help anybody.
     
  4. servertechs

    servertechs Active Member

    Joined:
    Aug 24, 2008
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    try
    #httpd fullstatus
     
  5. rockon007

    rockon007 Member

    Joined:
    Nov 28, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    The above command is showing the "Apache Status" as is shows in WHM.

    I have lots of connections like this :
    Code:
    317-36	-	0/0/34	. 	0.91	24400	0	0.0	0.00	0.90 	127.0.0.1	serverhostname.com	OPTIONS * HTTP/1.0
    318-36	-	0/0/22	. 	0.11	24763	0	0.0	0.00	0.03 	127.0.0.1	serverhostname.com	OPTIONS * HTTP/1.0
    
    Like the above 2 there are many like that shown.
    Does this mean there are large connections being made to server hostname?
    But the ip shows 127.0.0.1
     
  6. rockon007

    rockon007 Member

    Joined:
    Nov 28, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I have not been able to find a specific solution to this.

    How do I particularly know that which out of 100 domains is getting DDOS because I am pretty sure only 1 account in my server is facing DDOS.
     
  7. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Does it matter what domain is being attacked? You need to set the offending IPs blocked.

    My 2 cents.
     
  8. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    it does matter becuse once you mitigte the attack by blocking the IPs, you may want to get rid of the client who is causing the problem - especially if it keeps happening.
     
  9. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Is your server so are your rules, I don't know if you don't like to have customers, but that way even yourself could be banned from your own server, if your account is the one attacked.

    Don't want to flame any argue, just is my point of view to get rid of the attacks with more security in the server.

    Regards,

    Sergio
     
  10. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    If your trying to suggest that finding out what domain is being attacked is worthless, or dumping a problematic customer is bad business then feel free to ignore this thread.

    For the rest of the sensible people out there who dont like having one customer cause them business or loose money on having a down or slow server, having that info is valuable - even if you dont do anything with it, knowing is still better than not knowing as it will give you better overall view of what is happening and why.

    If you worked at a large corporation and you told them a server went down becuase a domain was being ddos'ed, Im sure they would ask you which domain. if you couldnt tell them or in this case told them "its not important to know just get better security", I dont think they would be very happy with that answer.
     
  11. whr

    whr Active Member

    Joined:
    Jul 25, 2009
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    If Apache status too didn't show the domain under attack, check the domlogs (/usr/local/apache/domlogs) directory and find out the file that is bigger in size.

    Most probably the domain under attack should top the list.

    Check the IP of that domain and then analyze the domlogs and awstats of that domain.

    If you get enough data, then either suspend/terminate that user.

    You can even change the 'A' record of that domain to loopback address (127.0.0.1) if the attack is that severe.
     
  12. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If the DDOS is hitting port 80 with legitimate requests, they'll get logged and you'll be able to see it via the size of the log as above.

    If it's not a fully formed HTTP request, or it's a SYN attack or something else, you may have to do a separation of the domains onto various IPs to do a binary-search technique, each time you put a group of domains onto an IP work out which IP is being hit, then repeat with the domains on that IP until you get the actual domain.

    Once you have the domain change it's A record to 127.0.0.1 as above, which may also help, and/or get the DC to null route the IP.

    It's worth checking the DDOS isnt just from one IP, sometimes they are, in which case they're easily blocked by just blocking that one IP with a tool like csf or raw iptables.
     
  13. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    If its a DosS then you will see hundreds of IPs by using the command:

    Then if so it's extremely easy to block, Dos_Delfate to work with IPtables and CSF will do the trick, If your under heavy attack, Lets say a botnet ( Been there its not good ) Then you will see hundres maybe thousands of IPS, Thats if you can get on your server to check it :D

    If you just have one small kiddie who thinks he is clever by sending out SYN attacks, Or trying to flood a port then CSF will easily do the trick.
     
    danielpmc likes this.
  14. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    i have had good results with mod_evasive and apf on non cpanel systems - mod_evasive has a directive that allows it to run a command like apf -d ip.ip.ip.ip which will insert a block into the firewall for 20 seconds, and each time it detects a dos it will extend by 10 seconds.

    Im sure that if csf has a command line option to do blocking (which im guessing it does as thats kind of important) you can do the same thing on an automated scale for something thats large like this, or even if its a single kid from a dynamic IP doing a malformed header attack or something.
     
  15. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Its quite easy to block though, The hardest part is getting it to comminicate the blocks to IPtables, I done mine with CSF + Dos Delfate ( modified version ) and mod_evasive ( modified version ) works well. I use temp block on 250 connections or less as some internet providers are hungry on the http's and then for 500+ its instantly block, But if the attacks has a burst then it will also instant block this.
     
Loading...

Share This Page