server under attack need to stop now

[fishfreek]

For the last 24 hours I have been fighting an apparent DOS attack on a domain I have hosted. This attack is calling for very strange URL's and I was using mod_security and I need to figure out a rule set that will block these requests.

Now I an somewhat unsure if mod_security is even installed and working now after I rebuilt apache last night.

The requests are multiple requests per second from multiple IP's. Seems like I could ban ips from now until next year with no help. The requests look like this.

/55555œœœœœ
/LLLLLŒŒŒŒŒ
/¥¥¥¥¥°°°°°
/AAAAAfffff
/¥¥¥¥¥°°°°°
/OOOOO HTT
/ìììììCCCCC
/ááááávvvvv HTTP/1.0
/RRRRR<<<<< HTTP/1.0
/WWWWWÓÓÓÓÓ HTTP/1.0
/OOOOO HTTP/1.0
/ËËËËË''''' HTTP/1.0
/&&&&&³³³³³ HTTP/1.0
/ÆÆÆÆÆ¡¡¡¡¡ HTTP/1.0
/ËËËËË HTTP/1.0
/ÐÐÐÐÐÈÈÈÈÈ HTTP/1.0
/¿¿¿¿¿..... HTTP/1.0
/"""""ÉÉÉÉÉ HTTP/1.0
/·····rrrrr HTTP/1.0
}}}}}³³³³³ HTTP/1.0
/00000hhhhh HTTP/1.0
/¥¥¥¥¥sssss HTTP/1.0
/SSSSS HTTP/1.0
/QQQQQÀÀÀÀÀ HTTP/1.0
/UUUUUÒÒÒÒÒ HTTP/1.0
/ÒÒÒÒÒ HTTP/1.0
/ÃÃÃÃÃ HTTP/1.0
/ÙÙÙÙÙ××××× HTTP/1.0

 

[claudio]

In my opinion you should put in your firewall a rule to block all ips and let just one or two subnets such as the one from you and your customers(contry)

then you can narrow this down with more calm

your log seems to be in a different charset ?

if this DDOS is directly to apache you can turn apache off for a couple of time while you prepare your firewall

if the incoming mbits are more than 10 then you should contact your NOC or Datacenter to see if they can help with a packet nullifyer

regards

claudio

 

[fishfreek]

Thank you for your response. I dont know if I can easily block al IP's other than my clients as they are all operating web services that need to be open to the entire US and internationally. The IP's that these calls are comming from do not appear to be from a single country either.

The charset that your describing is I guess from my initial message. That is exactly how the web requests appear in the apache status adn in the web logs itself. Here is another example

yourdomainhere.com GET http://yourdomainhere.com/›››››]]]]] HTTP/1.0

 

[nyjimbo]

If you can't readily block via a mod_security rule you should at least try to see if blocking via IP helps at all. We had a attack a few months ago and only needed to block 20 IPs until we got control of it. Later on we came up with a better method but it's likely you can at least reduce impact from a small botnet with just ip rules for now.

 

[claudio]

you can fast install mod security manually

http://www.eth0.us/mod_security

regards

claudio

 

[rpmws]

chrirpy's CSF/LFD will watch for multiple offending IPs in the mod_sec logs and block them for you at the IP level. It will block all access from those IPs. works great

 

[fishfreek]

I have mod_security working again but I dont understand enough about the ruleset to create a rule to block these requess. I see some of these requests being blocked at the mod_security level but they seem to only be requests where the % sign is repeated in the get request. all the other caracters that might be used dont get blocked so I dont know how to write the rule.

Im interested in chrirpy's CSF/LFD. I have apf firewall installed now and use the bfd service to monitor other logs and always wanted to somehow initergrate the bfd with the mod_security log. this CFS/LFD might work once I can figure out how to compose some mod_security rules.So far I have just the standard WHM/Cpanel supplied rules enabled.

 

[fishfreek]

I found this ruleset on line. Anyone think this would help or hurt?

http://nix101.com/mod_security.conf

 

[rpmws]

I found this ruleset on line. Anyone think this would help or hurt?

http://nix101.com/mod_security.conf

that one has some goodeis in it it's almost as big as mine but this one has stuff in it that I am going to use. Nice find!!!

 

[fishfreek]

It did seem to catch some more of those requests but not all of them. Indeed it seems to do alot an i plan on continuting to make sure its not to agressive.

 

[hostmedic]

oldthread but ... how do I

Is it possible to have the server ignore an ip range?
We have a client that makes multiple requests to their own box...
some wget / lynx and a few others

is there a way to ignore their ip range for this?

generally most of our stuff use hardware firewalls but that is out of this clients budget
...

 

[troxalias]

I would suggest installing DosEvasive module in Apache. It can be really helpful in such cases. You can find it here http://www.zdziarski.com/projects/mod_evasive/ .

 

[Tam]

dos_evasive mentioned can be useful, this script is a tad better though ... http://deflate.medialayer.com/ (configure it to allow 300 connections, anything over that from asingle IP will get blocked)

Mod-security would help, but if you don;t know if it is installed or working that's another issue, you could use the ruleset (with automated daily updates) at gotroot.com but they tend to be very anal and can cause more trouble. If you get mod_security installed there are some good rulesets out there, we are proactive and watch for errors that can be used to formulate new rulesets.

If you don't have a software firewall isntalled such as CSF then you have to get that done asap (its almost totally irresponsible not to), someone mentioned that CSF will block IPs that trigger mutliple mod_security triggers, but that is dependent on you having a decent of mod_sec rules in place. CSF can also help block DoS attacks as Dos-delfate does and dos_evasive is supposed to. You will need to have IPtables installed for CSF to work though.

There is nothing to stop you from using all of these at the same time, in fact it would be more prudent for you to do so.

The fact that you have implied uncertainties where your security is involved suggests that you really need to get a grip on that and learn what to install (rebuilding apache is not likely to help), how to configure it and what to do next (starting from your httpd and php configuration down to DoS protection and firewall). There are an awful lot of people running servers and VPSs poorly that cause the rest of us more trouble because they do not get to grips with their security. If you don't act now, you may end up with a highly compromised box or VPS which will cause you more hair loss than anything.

You didn't mention if you are running a deciate server or a VPS.

 

[brianoz]

Is it possible to have the server ignore an ip range?
We have a client that makes multiple requests to their own box...
some wget / lynx and a few others

is there a way to ignore their ip range for this?

generally most of our stuff use hardware firewalls but that is out of this clients budget
...

A server can, of course, ignore an IP range, or ignore faults from an IP range. If you mean ignore false errors from mod_security, CSF has a file csf.allow which you can list IPs in, or add to them with the command "csf -a IPADDRESS optional-comment-text"

Once an IP is allowed it will never be blocked by CSF, although CSF [actually LFD] will complain a little!

 

[IPSecureNetwork]

guys against real DDoS .. with ddos evasive .. mod security and all you want to install.. you will do nothing.. the box will bringing down again and the story will be repeated.

You must ask to your provider if they can configure and give you a Firewall hardware to mitigate this issues.


you cante rate limit your serivces ports.. will be decrease the attack but...if the ddos still continue and is really a ddos .. i recomend you go with a good provider with DDoS protections to deal whit this.

 

[katmai]

i second this.

a box cannot handle more than 20 000 ips blocked, and work properly. and when i mean a box, i am talking about a quad core2duo with 4 gb ram, so take it as a point of reference.

the max i could have it was 25 000 ips blocked, and the service to be somewhat normal. other than that ... you're offline. so ... isp + hardware firewall.