So, yeah I'm being DDOS Attacked right now. I've contacted my server staff, hell I've even tried to IP block the url it was coming from (it's coming from 1 outside link). I've gotten about 700 page views in the last hour......from a multitude of different IP's...all from the same outside link......... So what should I be doing? I'm rather new to this position, and any help before they manage to crash my site would be great! ((yes I do have a back up for today, but that irrelevant lol, were trying to rescue right now))
Go to your logs directory and type this command: cut -d' ' -f1 access_log | sort | uniq -c | sort -rn | head Code (markup): This will give you a list of the top ten IP addresses that have accessed your site. You will have to change access_log in the above command with whatever filename you have for today's log. If you have no log rotation and every day goes in the same file then use this command: grep "17/Oct/2008" access_log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head Code (markup): I don't know what your normal usage numbers will look like but if you normally get 1000 hits per day and you can see a single IP address with over 1000 hits then it's probably part of the DDoS. If each user only requests one or two pages then the users themselves are probably not malicious. Hmmm... actually, if you are always getting the same referrer then it's possible that it's actually more like a Slashdotting. Someone popular may have just linked to you and is now sending you too much traffic for you to handle. Does the page actually have a link to your site on it ?
yeah it does. I thought it was DDOS because I was getting 2-3 page views per second. As far as I know that site wasn't busy around that time (me and their admin spoke).
try to install apf and Ddos Deflate they work great for Ddos attacks. Please check this site and see how to install apf and Ddos deflate.
Does your datacenter have any type of DDOS firewall system in place, such as a Cisco Guard firewall? Your datacenter may have one of these and they may offer to put your server beind one of these firewalls for 24 hours or so to help mitigate the DDOS attack. If the attack is a true DDOS (Distributed DOS) attack then there's not going to be a whole lot you can do from the server point of view. You will end up blocking too many IP addresses with iptables and then your iptables ruleset will get too large and begin degrading server performance. It is best to tackle this from the network point of view and stop the attack from ever reaching your server.
Well this is a shared server (being a a college student, its all I can afford lol). So im not sure what my host has defense wise. I haven't had a problem since though
Hello ksb2050, Not sure if your shared server runs Apache, but you might want to check out mod_security. It's a web application firewall that might help to deflect or halt this type of attack.
I recommend getting a server at theplanet or softlayer and they can apply cisco guard if you get attacked and cisco guard really helps.
Ask the server staff to install some APF and every 5-10 minuites block the ip that is doing the attack. In fact there is no foolproof solution for DDOS.
Most routers today come with a decent firewall that can ensure DDOS attacks are blocked. If you have a good hardware router, you just need to login to the interface and ensure that the basic NAT firewall in it is turned on. Mentioning this, since you have mentioned that you are a college student, and may not be in a position to spend much on security. If you can shell some money out, then go for a good gateway firewall from Cisco or Sonic Wall.