The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Professionals. How do you deal with huge http DOS attacks

Discussion in 'General Discussion' started by bhznat, Oct 27, 2005.

  1. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    My box is down today for more that 8 hours.
    I done everything that I know, blocked 6000 ips with APF, but the attack running with diffrent ips?

    I am not sure how to resolve this. Any suggesstion/tip may help me.
    Below I added tail-50 error_log.

    Thanks.

    [Thu Oct 27 14:05:21 2005] [error] [client 59.133.10.252] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:21 2005] [error] [client 219.95.164.65] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:21 2005] [error] [client 85.102.178.130] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:22 2005] [error] [client 213.199.243.150] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:24 2005] [error] [client 61.215.156.197] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:24 2005] [error] [client 218.228.80.214] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:24 2005] [error] [client 172.143.75.207] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:26 2005] [error] [client 85.102.178.130] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:26 2005] [error] [client 86.195.168.122] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:26 2005] [error] [client 59.190.35.140] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:27 2005] [error] [client 85.102.178.130] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    [Thu Oct 27 14:05:28 2005] [error] [client 218.228.80.214] mod_security: Access denied with code 403. Pattern match "^$" at HEADER. [uri ""]
    ........
    ........
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You should ask your datacenter to help and block the DDOS at the routers. Having 6000 IP's in iptables is only going to server to slow your whole server down and potentially make it unbootable. If your datacenter isn't willing to help, you should probably move to one that provides DDOS protection. Most of the large ones do.
     
  3. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Thank you chirpy.

    But it will not solve my prob, now. Do you agree with it is better to change main ip, and block all traffic to curent ip?

    If so, may you please tell me how to do so, withough headache?

    Thanks,
     
  4. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    changing main ip would not help because they are most probably using your domain name to attack you.
     
  5. aby

    aby Well-Known Member

    Joined:
    May 31, 2005
    Messages:
    638
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Changing the Main IP is certainly an option you can look for. though not a certain solution. You can take the temporary license of the cpanel for that IP. You can change it back after 15 days and see if that helps.

    nyway it is better to get the help of your datacentre.. As Chirpy suggested..
     
  6. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    How did you block 6,000 ips?
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    There are more to DDOS than just blocking IPs. We have few clients with the same problem, and managed to stop the DDOS and get their servers up and running.
     
  8. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    How are you able to stop it without blocking the IPs?
     
  9. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    I have write a script to fetch specified ips from apache error_log and adding it to /etc/apf/deny_host.rules.

    After adding about 8000 ips, I found that it will not help becuase there are tons of "..reading.." , "?" requests with tons of ips like:


    1-0 8210 0/144/144 R 2.20 5 0 0.0 1.10 1.10 ? ? ..reading..
    2-0 8211 0/157/157 R 2.41 0 10 0.0 0.78 0.78 ? ? ..reading..
    3-0 8212 0/134/134 R 2.22 0 1700 0.0 0.95 0.95 ? ? ..reading..
    4-0 8213 0/148/148 R 2.26 4 0 0.0 1.78 1.78 ? ? ..reading..
    5-0 8216 0/169/169 R 2.26 12 135 0.0 1.31 1.31 ? ? ..reading..
    6-0 8217 0/143/143 R 1.95 6 0 0.0 1.39 1.39 ? ? ..reading..


    Finally I removed deny_host.rules, and added each ip that I found with all block eg. xxx.0.0.0/8 or xxx.0.0.0/16 ...

    This resolved issue, but all forms on all sites will not work now.
    I am getting this report on dnsreport.com:

    "A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding. If you have a Watchguard Firebox, it's due to a bug in their DNS Proxy, which must be disabled. "

    I think maybe I have blocked some local network ips, but I'm not sure how to resolve this. I dont know witch ips I should explode from deny_host.rules.

    Any one have a sugestion, how to resolve NS probelm???

    Thanks.
     

Share This Page