The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to check which site is being DoSed?

Discussion in 'General Discussion' started by thealee, Jul 12, 2007.

  1. thealee

    thealee Member

    Joined:
    Oct 5, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    I was wondering, do you guys have any advice on how to check which website is being targeted in the event of a DoS attack?

    Netstat doesn't have a feature to list what domain the IPs are accessing does it?

    Some of you will reccomend apache status, i've found this to be not very helpful. Plus if you have mod_evasive installed, it may be the case that many IPs (or a single ip) are making connections to the server but being rejected and never reaching apache status, this does still, however cause load on the server.

    So I'm asking what you guys use to detect which sites are being DoSed, and any other advice you may have.

    Thanks.
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I think you pretty much have to run everything. Not all DOS attacks are the same. Even a apache targetted attack can look different depending on what exactly they are throwing at port 80.

    Apache status, top, ps ax with different switches , modsecurity logs, netstat with various switches, etc all produce bits of info that help.

    If you have a hardware firewall that can really help to see what is coming in if its a big volume, something like m0n0wall will tell you what the packets are with great detail. I use Freebsd so we use IPFW/Dummynet for software firewall on each server and m0n0 as a main hardware firewall for the whole network.

    You might also want to start a friendly conversation with your upstream or ISP to ask them DETAILED info on how they would handle a DOS. Sometimes an upstream will be happy to help you during a DOS with specific info they see going into you as they are really filtering it and not the target and are not affected directly. Some even have proactive ways to stop the attacks but might not have it enabled for your service.

    But also remember that some "DOS attacks" can be googlebots slamming your server or something less sinister.
     
  3. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
    thealee, personally, I like to go into:

    /usr/local/apache/domlogs/

    Run an ls sorted by file size (in human readable format for ease of reading):

    ls -lhS | less

    The largest domlogs is usually the one getting hit. Tail the log and block the IPs.

    Doesn't work all the time, but one more measure to add to your arsenal.
     
  4. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
    Also, this was a nice little command we use for seeing how many connections are coming from each IP:

    Code:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr |more
    
     
  5. doru.harnu

    doru.harnu Registered

    Joined:
    Jul 14, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Well ... to determine DoSed site you can use the apache server-status utility http://domain.com/server-status - enable it in httpd.conf: nano /usr/local/apache/conf/httpd.conf > ctrl-w > server status > ExtendedStatus On > uncomment section at <Location /server-status> and put there your IP address (instead .example.com). Restart apache and check your server status.
    Ok ...
    Basically when some site is DoSed then that is the most "visited" site in your world:) in this case we can determine it by using the following script:
    bash-3.1$ cat ss.sh
    #!/bin/bash
    if [ "$#" -lt "1" ]; then
    echo "Usage: $0 hostname"
    exit 1;
    fi
    host="$1";
    url="$host/server-status";
    TMPFILE=/tmp/XXXXXX;
    lynx -dump $url > $TMPFILE
    grep GET $TMPFILE|grep -v ".pl"|sort|uniq -c|sort -rnk1|head -10
    bash-3.1$
    bash-3.1$ ./ss.sh some.domain.com
    5 some.other.vhost.domain.com GET
    1 GET /index.php?m=details&id=405 HTTP/1.1
    1 8-0 18771 0/7/7 W 0.09 9 0 0.0 0.03 0.03 89.40.155.195 domain.com GET
    1 7-0 18768 1/7/7 K 0.02 2 4 0.1 0.00 0.00 66.249.65.145 domain.com GET
    1 6-0 18767 0/6/6 _ 0.17 26 1 0.0 0.03 0.03 74.6.29.42 domain.com GET
    bash-3.1$
    In my case i have 5 connections to some.other.vhost.domain.com. If i will see a huge number of simultaneous connections i will be sure that is DoS.
    To filter that idiots you can use OS packet filter (iptables/ipfw) but 1st check this line (that working fine under linux):
    bash-3.1$ netstat -taepn|tr -s " " " "|awk '{print $5;}'|cut -d: -f1|sort|uniq -c|sort -rnk1|head
    I think only idiots and DoSers will open more than 100 simultaneous connections to your server .... By using iptables under linux you can DROP that connections and you will be happy :)
    This quasi-tutorial can be adapted to freebsd by editing some variables in netstat script :)
    Try it and have fun :)
    Anyway please let me know any issue ;)
    Good Luck!
     
  6. doru.harnu

    doru.harnu Registered

    Joined:
    Jul 14, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Rectification:
    I'm using that script to parse perl scripts ... Better is to use the following:

    bash-3.1$ cat ss.sh
    #!/bin/bash
    if [ "$#" -lt "1" ]; then
    echo "Usage: $0 hostname"
    exit 1;
    fi
    host="$1";
    url="$host/server-status";
    TMPFILE=`mktemp -q /tmp/XXXXXX`;
    lynx -dump $url > $TMPFILE
    grep GET $TMPFILE|awk '{print $1}'|grep -v GET|sort|uniq -c|sort -rnk1|head -10
    rm -rf $TMPFILE
    bash-3.1$

    Good Luck!
     
Loading...

Share This Page