The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How To Successfully Stop DOS Attack?

Discussion in 'General Discussion' started by dkz, Jul 14, 2005.

  1. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    A new client of mine is having a ongoing DOS attack against his website. This has been happening to him for the past week and keeps moving to new webhosts until they remove his site due to the DOS attack. I wanted to know how everyone esle handles DOS attacks that keep coming from random IP's. I already have APF, BFD, vHost Limit Apache Mod and just tried DOSevasive. Nothing has really worked. If I keep the vhost limit at 25 the server load will pretty quickly rise to 25. Without vhost the load goes past 100. APF did ban a couple of IP's while the account was online but the attack just keeps coming...

    I feel sorry for this person since at one point he had a successful website but no web host will keep a site that is constantly being attacked. Any suggestions?

    Thank you for the help!
     
  2. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Is it a DoS against just Apache (port 80) or is it a more "scattergun" approach? What sort of traffic volume are you receiving during a DoS attack? There are specialist companies available that can help - but they are more used to dealing in the xxGbps range of attack - which will probably be overkill for you (in spec and price).
     
  3. gpreston

    gpreston Well-Known Member

    Joined:
    Jan 31, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    West Chester, PA
    Have you informed the FBI? Last time a server of mine was receiving a DDoS attack we spoke with "The Man" and gave them some server logs and a week or so later the attacks quit altogether.
     
  4. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    I think it's only against port 80. During the attack and the load was about 50 I was able to run the command netstat -autpn | grep :80 and save it to a file. I didn't even think of running netstat without specifying a port but most of them are blocked via APF. As far as volume is concerned, I don't know how to answer that but saying there were a lot more IP's listed in the file than usual.

    Sorry if I don't have the answers you are looking for. This is the first time I have been hit with this kind of DOS attack. What should I be looking at and what commands?

    Thanks for the help!

    I forgot to mention we has some idea who is doing this but that seems like a lost cause. What do you think?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Unfortunately, the only reliable way to stop such attacks is going to be higher up the IP food chain - i.e. at the NOC's routers. Some NOC's provide such protection within their infrastructure, some deploy it when it is needed, some don't help - you really need to approach the datacentre where the server is hosted for a solution.

    That said, sometimes taking the domain offline for a while, or moving it to a different IP address can help, though the problem could move with it.
     
  6. lynxchap

    lynxchap Registered

    Joined:
    Jul 11, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    DDoss are always on the IP numbers. Try to find out on which ip address you are getting most of the request on port 80. If its additional ip address binded to your server then you can remove the ip adress from WHM. I have found a very good turotial on how to stop DDos. Please check the below given link.

    http://etechsupport.net/forum/showthread.php?t=434


    --lynxchap
     
  7. pshepperd

    pshepperd Well-Known Member

    Joined:
    Feb 12, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Configure APF to ban ips by itself, apf is a great tool that if configured properly can mitigate ddos attacks before you have to deal with them. For instance my server watches for certain patterns and blocks the origin for 10 minutes.
     
  8. riot

    riot Member

    Joined:
    Feb 1, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Blumenau / SC / Brazil
    Sorry about my english ;)

    I'm looking for information about the DoS attack too and have a little question:

    I'm just a cPanel's user (I have a reseller service), actually offline cuz the guys on the hosting service said "yeah, another DoS attack!". Well, I have how to know if the problem it's a DoS attack? I'm not saying that I don't trust on the company but would be great top have this information to see what is happening exactly.

    Thanks for the attention,
    Eduardo
     
  9. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    How would one do that? APF docs are sparse.
     
  10. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    as chirpy said, blocking dos-es at local level does not help.

    you still have the inbound traffic, what you can do is protect the software running on the server - in your case apache.

    and if it's a ddos - distributed, wich is more common lately, you'll end up banning thousands of ip's for nothing.

    last time i had one of theese, i compiled the ip's that were atacking, and i solved the problem by talking to the provider, who blocked whole C-classes.

    so the only way, that is effective: talk to the noc, or your ISP.
     
  11. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I'll chime in and point out that if the provider is that unresponsive, on second thought, it would make more sense to switch to a new provider. I know that means a disruption, especially if you have forums or need to keep good web stats, but it's well worth it! A good responsive provider makes ALL the difference. I've noticed that hostrocket doesn't take too long to deal with DOS attacks and they're very cheap. I've never had a DOS problem with Esosoft either (just avoid their middle-tier product which is a resold Verio server; their base and dedicated lines are good.) I have a couple of sites on Dreamhost too and they seem to be available and courteous. There's no shortage of good responsive providers.
     
  12. jensendw

    jensendw Member

    Joined:
    Aug 7, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    I would ask waht your NOC would recommend, if they offer no solutions you may want to look into the IDS that v-secure provides (v-secure.com), I just got done with a 3 week trial phase and I must say im impressed this thing stops everything; it's a little pricy though but depending on who your customers are and how many you have would probably be the determining factor for spending the cash for a resolution.
     
  13. riot

    riot Member

    Joined:
    Feb 1, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Blumenau / SC / Brazil
    My hosting service was 2 days offline.

    The solution: Cisco PIX 501
     

    Attached Files:

  14. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    see this post
    http://forums.cpanel.net/showthread.php?t=44688&highlight=attack
    botnets attacks prevention.
    you only need 2 things
    apf
    snort_inline sniffing all packets
    just set your iptables to enable queue option.
    and the snort_inline discard all syn packets whitout ack response.
    is a nice way to protect all the servers
    i have the same problem a few months ago but ..
    never more whit this way.
    set your udp ports block for any external conection except the port 53 dns
    and use snort and apf and your server will be protect ..
    if your ISP or datacenter block the IP victim .. or block your all conections incoming ...
    check whit them to resolve the problem.

    that works for me
     
  15. btrieve

    btrieve Well-Known Member
    PartnerNOC

    Joined:
    Mar 20, 2002
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Your best bet is going to be an application level firewall, which some datacenter managed firewall services will offer -- layer 7 packet inspection will be able to decipher and block the form of attack, whether it is thousands of malformed URLs (which is what we usually see) or other miscellaneous stuff being slammed at port 80.

    You are looking at a device in the 2k+ range, I'd recommend the netscreen 25.
     
Loading...

Share This Page