The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My server under attack

Discussion in 'General Discussion' started by Jackmaninov, Jan 4, 2003.

  1. Jackmaninov

    Jackmaninov Member

    Joined:
    Sep 6, 2002
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    One of the sites hosted on my server has had a bit of a run-in with the operator of a competing site, and now it seems my server is under attack.

    For a few hours a day, load on the system increases dramatically. I've seen a 15 minute load of 140! After spiking, I get an apache failure notification, and load will go down until the next day. While this high load is occuring, the CPU is mostly being used by system, with a typical top reading giving over 90% system usage. I'm assuming this is caused by httpd process forking; the number of httpd processes jumps during each attack.

    Additionally, I have a TON of connections listed as TIME_WAIT when I do a netstat -an. They are all pointing at port 80, and are from random IPs, which I assume are spoofed, as I can find no long-term pattern to them or their source ports. Filtering out traffic from individual IPs in the TIME_WAIT state has no effect.

    I have followed all the recommendations I can find for repelling a SYN flood attack. TCP syncookies are on. I have reduced the TCP keepalive time from 7200s to 30s.

    Other recommendations I've seen include tweaking apache. I'm using the following related settings:

    MaxKeepAliveRequests 50
    KeepAliveTimeout 5
    MinSpareServers 5
    MaxSpareServers 10
    MaxClients 170
    StartServers 15
    MaxRequestsPerChild 10000

    I've also just installed Bastille, with no effect.

    I'm running out of ideas here! Any suggestions would be most appreciated
     
  2. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    Cancel his account if he can't get along with others!

    John
     
  3. Jackmaninov

    Jackmaninov Member

    Joined:
    Sep 6, 2002
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Serious suggestions would be more appreciated then shallow, obvious solutions.
     
  4. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    I am being totally serious. He has caused this problem, deal with it.

    John
     
  5. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Get proof of the attack and approach the attackers provider.
     
  6. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I know this is very old, but did you manage to find a solution for this ?? I had the same problem appear on a customer server.
     
  7. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    Don't know if this will help.

    But, my NOC/DC has spent a fortune in hardware and software to detect and squash attacks. If they don't automatically detect one and I find that one of my servers/IP's are under attack, I just give them a call and they tweak their settings. All handled at the switches and they never charge me to provide a higher level of security.
     
  8. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Hmm... nice.
     
  9. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    This, IMO, is what I pay my NOC for! Dedicated server lessees and Colo's can't (or shouldn't) be expected to enable all security options on a server by server basis when this can/should be addressable by NOC hardware/software.
     
  10. djoverho

    djoverho Active Member

    Joined:
    Feb 19, 2002
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    WV
    Hi...do you have a firewall enabled on your server? We had similar attacks from an Asian ISP, we were getting bombed with attacks that would eventually overload Apache and crash the server. We use APF firewall, www.rfxnetworks.com, so I just blocked the entire range of ips, which brought an immediate stop to the attacks. You can block single ips or the whole range..we just blocked the range because if we just blocked the ip they would come back with another one right away. Its a very simple program to install and to block ips all you type is apf -d 111.111.111.111. Just a suggestion...hope this helps.
     
Loading...

Share This Page