How to check which site is being DoSed?

thealee

Member
Oct 5, 2006
16
0
151
Hi there,

I was wondering, do you guys have any advice on how to check which website is being targeted in the event of a DoS attack?

Netstat doesn't have a feature to list what domain the IPs are accessing does it?

Some of you will reccomend apache status, i've found this to be not very helpful. Plus if you have mod_evasive installed, it may be the case that many IPs (or a single ip) are making connections to the server but being rejected and never reaching apache status, this does still, however cause load on the server.

So I'm asking what you guys use to detect which sites are being DoSed, and any other advice you may have.

Thanks.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
I think you pretty much have to run everything. Not all DOS attacks are the same. Even a apache targetted attack can look different depending on what exactly they are throwing at port 80.

Apache status, top, ps ax with different switches , modsecurity logs, netstat with various switches, etc all produce bits of info that help.

If you have a hardware firewall that can really help to see what is coming in if its a big volume, something like m0n0wall will tell you what the packets are with great detail. I use Freebsd so we use IPFW/Dummynet for software firewall on each server and m0n0 as a main hardware firewall for the whole network.

You might also want to start a friendly conversation with your upstream or ISP to ask them DETAILED info on how they would handle a DOS. Sometimes an upstream will be happy to help you during a DOS with specific info they see going into you as they are really filtering it and not the target and are not affected directly. Some even have proactive ways to stop the attacks but might not have it enabled for your service.

But also remember that some "DOS attacks" can be googlebots slamming your server or something less sinister.
 

acenetryan

Well-Known Member
PartnerNOC
Aug 21, 2005
197
1
168
thealee, personally, I like to go into:

/usr/local/apache/domlogs/

Run an ls sorted by file size (in human readable format for ease of reading):

ls -lhS | less

The largest domlogs is usually the one getting hit. Tail the log and block the IPs.

Doesn't work all the time, but one more measure to add to your arsenal.
 

acenetryan

Well-Known Member
PartnerNOC
Aug 21, 2005
197
1
168
Also, this was a nice little command we use for seeing how many connections are coming from each IP:

Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr |more
 

doru.harnu

Registered
Jul 14, 2007
3
0
51
Well ... to determine DoSed site you can use the apache server-status utility http://domain.com/server-status - enable it in httpd.conf: nano /usr/local/apache/conf/httpd.conf > ctrl-w > server status > ExtendedStatus On > uncomment section at <Location /server-status> and put there your IP address (instead .example.com). Restart apache and check your server status.
Ok ...
Basically when some site is DoSed then that is the most "visited" site in your world:) in this case we can determine it by using the following script:
bash-3.1$ cat ss.sh
#!/bin/bash
if [ "$#" -lt "1" ]; then
echo "Usage: $0 hostname"
exit 1;
fi
host="$1";
url="$host/server-status";
TMPFILE=/tmp/XXXXXX;
lynx -dump $url > $TMPFILE
grep GET $TMPFILE|grep -v ".pl"|sort|uniq -c|sort -rnk1|head -10
bash-3.1$
bash-3.1$ ./ss.sh some.domain.com
5 some.other.vhost.domain.com GET
1 GET /index.php?m=details&id=405 HTTP/1.1
1 8-0 18771 0/7/7 W 0.09 9 0 0.0 0.03 0.03 89.40.155.195 domain.com GET
1 7-0 18768 1/7/7 K 0.02 2 4 0.1 0.00 0.00 66.249.65.145 domain.com GET
1 6-0 18767 0/6/6 _ 0.17 26 1 0.0 0.03 0.03 74.6.29.42 domain.com GET
bash-3.1$
In my case i have 5 connections to some.other.vhost.domain.com. If i will see a huge number of simultaneous connections i will be sure that is DoS.
To filter that idiots you can use OS packet filter (iptables/ipfw) but 1st check this line (that working fine under linux):
bash-3.1$ netstat -taepn|tr -s " " " "|awk '{print $5;}'|cut -d: -f1|sort|uniq -c|sort -rnk1|head
I think only idiots and DoSers will open more than 100 simultaneous connections to your server .... By using iptables under linux you can DROP that connections and you will be happy :)
This quasi-tutorial can be adapted to freebsd by editing some variables in netstat script :)
Try it and have fun :)
Anyway please let me know any issue ;)
Good Luck!
 

doru.harnu

Registered
Jul 14, 2007
3
0
51
Rectification:
I'm using that script to parse perl scripts ... Better is to use the following:

bash-3.1$ cat ss.sh
#!/bin/bash
if [ "$#" -lt "1" ]; then
echo "Usage: $0 hostname"
exit 1;
fi
host="$1";
url="$host/server-status";
TMPFILE=`mktemp -q /tmp/XXXXXX`;
lynx -dump $url > $TMPFILE
grep GET $TMPFILE|awk '{print $1}'|grep -v GET|sort|uniq -c|sort -rnk1|head -10
rm -rf $TMPFILE
bash-3.1$

Good Luck!