The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible DOS attacks - extreme load

Discussion in 'General Discussion' started by remik, Jan 18, 2006.

  1. remik

    remik Guest

    Hi.
    I have been receiving multiply DOS attacks on my system (I reckon these are DOS attacks). My load goes above 30 and it leads to services being shut down and sometimes it hangs my server. This is part of my /var/log/messages:

    Code:
    Jan 19 00:02:18 shock stunnel: LOG3[20641:241]: SSL_read: Connection reset by peer (104)
    Jan 19 00:02:18 shock stunnel: LOG5[20641:241]: Connection reset: 150 bytes sent to SSL, 1431 bytes sent to socket
    Jan 19 00:02:19 shock stunnel: LOG5[20641:241]: stack_info: size=65536, current=4172 (6%), maximum=4172 (6%)
    Jan 19 00:02:19 shock stunnel: LOG5[20641:242]: webmailhttps connected from 83.6.83.142:1791
    Jan 19 00:02:22 shock stunnel: LOG3[20641:242]: SSL_accept: Peer suddenly disconnected
    Jan 19 00:02:22 shock stunnel: LOG5[20641:242]: stack_info: size=65536, current=3836 (5%), maximum=4172 (6%)
    Jan 19 00:02:22 shock stunnel: LOG5[20641:243]: webmailhttps connected from 83.6.83.142:1792
    
    There are plenty of stunnel connection from varous IPs in my logs.
    My /usr/apache/log/error_log shows as follows:

    Code:
    [Thu Jan 19 00:07:32 2006] [warn] child process 22948 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22949 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22950 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22951 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22952 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22954 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22956 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22961 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22962 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22964 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22965 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 22967 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 27797 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 28882 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 28883 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:32 2006] [warn] child process 28996 still did not exit, sending a SIGTERM
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 22951 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 22962 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 22965 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 22967 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 29554 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 30026 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 32092 exit, attempting to continue anyway
    [Thu Jan 19 00:07:37 2006] [error] could not make child process 30325 exit, attempting to continue anyway
    
    This happens for about a week. I thought it was connected with openssl bug. I have installed the newest stunnel:
    Code:
    stunnel 4.14 on i686-pc-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005
    It didn't help. I've updated PHP to the newest version 4.4.2. My apache is 1.3.33 - I have problems with installing 1.3.34, but apache doesn't say it would fix the problem.
    My snort logs doesn't show anything either. I even tried installing mod_security in hope it could help me to identify the attacker.

    I am running:
    Code:
    Red Hat Enterprise Linux ES release 3 (Taroon Update 4)
    Linux shock.netshock.pl 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686 i386 GNU/Linux
    Server version: Apache/1.3.33 (Unix)
    
    The only thing I can do is stop httpd and stunnel for a while. When the load gets down I can run it again and for few hours the server works fine.

    Please help. I've run out of ideas how to stop the load from getting so high.
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    When the load gets high run this from a consol :
    netstat -autpn | grep :80
    Look for mutiple connectios from the same IP and if there, ban the IP at your firewall.
    However, if its a DDOS attack ( not DOS ) its hard to stop.
     
  3. Zaf

    Zaf Well-Known Member

    Joined:
    Aug 22, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    You may refer to this >thread< and use my script to do all of the above

    # wget http://www.inetbase.com/scripts/ddos/install.ddos
    # sh install.ddos
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Installing this program is just one of the many things you need to do to secure your server. You need to find out who is causing this high load on your server, and take necessary actions; clean up; upgrade insecure scripts/programs; apply security patches and applications. It is very crucial to harden your server to stop future attack, before it's too late.
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Great script, great idea anyway. I have a few questions if you don't mind.

    I installed this on a few of our servers and saw that it was working to ban some IPs at the rate of about 6 per hour or so, then I reduced the NO_OF_CONNECTIONS= value down to 50, and we received a swarm of complaints from our hosted customers who were not able to reach their sites.

    I am wondering how, or why, any legitimate connection from a web site owner would incur as many as 50 simultaneous connections? In one case I saw, someone was working on their shopping cart, and this was the message that came in via email:


    Banned the following ip addresses on Thu Jan 26 18:08:59 CST 2006

    71.111.159.125 with 247 connections


    247 connections?

    How could this be. Does this mean that the owner of the hosting account has a virus on their computer?


    Next question:

    With the ddos.conf file set up this way:

    FREQ=1
    NO_OF_CONNECTIONS=50
    APF_BAN=1
    KILL=1
    EMAIL_TO="root"
    BAN_PERIOD=600


    The IPs were not being cleared after 600 seconds. Would I need to change APF_BAN=1 to APF_BAN=0 in order to effect this?


    Next question:

    KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)

    If IPs are not banned, then what is the effect of the script? Would it have any effect at all? What do you mean by "interactive execution of script"?

    Also:

    If a hosted customer tries to do a mass emailing through their account, would this evoke a ban of their IP.

    Thanks very much. Our servers have been hit very hard lately by all kinds of spam-bot probes and other similar things that look like they originate from external scripts. Hopefully your script will provide some relief.
     
  6. HH-Steven

    HH-Steven Well-Known Member

    Joined:
    Aug 29, 2004
    Messages:
    284
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Sorry to drag up an old post but im having a similar problem.

    Recently installed this (nice by the way) and it seems to be banning what i consider "honest users", i still have the max connections set to 150 and its only happening to 1 or 2 people so far.

    Any help would be greatly appreciated.

    Thanks.
     
Loading...

Share This Page