server under attack need to stop now

In my opinion you should put in your firewall a rule to block all ips and let just one or two subnets such as the one from you and your customers(contry)

then you can narrow this down with more calm

your log seems to be in a different charset ?

if this DDOS is directly to apache you can turn apache off for a couple of time while you prepare your firewall

if the incoming mbits are more than 10 then you should contact your NOC or Datacenter to see if they can help with a packet nullifyer

regards

claudio

 

If you can't readily block via a mod_security rule you should at least try to see if blocking via IP helps at all. We had a attack a few months ago and only needed to block 20 IPs until we got control of it. Later on we came up with a better method but it's likely you can at least reduce impact from a small botnet with just ip rules for now.

 

you can fast install mod security manually

http://www.eth0.us/mod_security

regards

claudio

 

chrirpy's CSF/LFD will watch for multiple offending IPs in the mod_sec logs and block them for you at the IP level. It will block all access from those IPs. works great

 

that one has some goodeis in it it's almost as big as mine but this one has stuff in it that I am going to use. Nice find!!!

 

oldthread but ... how do I

Is it possible to have the server ignore an ip range?
We have a client that makes multiple requests to their own box...
some wget / lynx and a few others

is there a way to ignore their ip range for this?

generally most of our stuff use hardware firewalls but that is out of this clients budget
...

 

I would suggest installing DosEvasive module in Apache. It can be really helpful in such cases. You can find it here http://www.zdziarski.com/projects/mod_evasive/ .

 

dos_evasive mentioned can be useful, this script is a tad better though ... http://deflate.medialayer.com/ (configure it to allow 300 connections, anything over that from asingle IP will get blocked)

Mod-security would help, but if you don;t know if it is installed or working that's another issue, you could use the ruleset (with automated daily updates) at gotroot.com but they tend to be very anal and can cause more trouble. If you get mod_security installed there are some good rulesets out there, we are proactive and watch for errors that can be used to formulate new rulesets.

If you don't have a software firewall isntalled such as CSF then you have to get that done asap (its almost totally irresponsible not to), someone mentioned that CSF will block IPs that trigger mutliple mod_security triggers, but that is dependent on you having a decent of mod_sec rules in place. CSF can also help block DoS attacks as Dos-delfate does and dos_evasive is supposed to. You will need to have IPtables installed for CSF to work though.

There is nothing to stop you from using all of these at the same time, in fact it would be more prudent for you to do so.

The fact that you have implied uncertainties where your security is involved suggests that you really need to get a grip on that and learn what to install (rebuilding apache is not likely to help), how to configure it and what to do next (starting from your httpd and php configuration down to DoS protection and firewall). There are an awful lot of people running servers and VPSs poorly that cause the rest of us more trouble because they do not get to grips with their security. If you don't act now, you may end up with a highly compromised box or VPS which will cause you more hair loss than anything.

You didn't mention if you are running a deciate server or a VPS.

 

A server can, of course, ignore an IP range, or ignore faults from an IP range. If you mean ignore false errors from mod_security, CSF has a file csf.allow which you can list IPs in, or add to them with the command "csf -a IPADDRESS optional-comment-text"

Once an IP is allowed it will never be blocked by CSF, although CSF [actually LFD] will complain a little!

 

guys against real DDoS .. with ddos evasive .. mod security and all you want to install.. you will do nothing.. the box will bringing down again and the story will be repeated.

You must ask to your provider if they can configure and give you a Firewall hardware to mitigate this issues.


you cante rate limit your serivces ports.. will be decrease the attack but...if the ddos still continue and is really a ddos .. i recomend you go with a good provider with DDoS protections to deal whit this.

 

i second this.

a box cannot handle more than 20 000 ips blocked, and work properly. and when i mean a box, i am talking about a quad core2duo with 4 gb ram, so take it as a point of reference.

the max i could have it was 25 000 ips blocked, and the service to be somewhat normal. other than that ... you're offline. so ... isp + hardware firewall.