Hello, My server is under attack from last 2 days i have contacted Softlayer team but problem was not solved. here is what i m facing. when i use the command netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 there is no such IP which have more connections established. but when i use the command netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort here is what i get [root@server ~]# netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort 1 0.0.0.0:80 191 first IP, which is shared IP i mean have many sites on it 988 here is under attack IP only one main site on it. as you see the second one seems to be under attack the connection even reached 2000 its very much up and down. Now the point is why its now showing with the first command that which Ip is making that much connection? + i m running Ddos defleate, CSF, also i will let you people know that Softlayer team nulled routed the IP for some time, but the problem was not solved. Please guide me. Regards.
Install Modsec and also ask your upstream to block the DDOS IPs, I think this is about the only things you can do.
here is what i get [root@server ~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 1 116.71.162.13 1 117.96.119.250 1 122.163.145.67 1 122.164.82.197 1 122.54.253.72 1 123.133.15.30 1 195.229.235.39 1 195.229.236.214 1 195.93.21.1 1 195.93.21.105 1 195.93.21.42 1 202.142.145.18 1 210.150.10.109 1 210.173.180.157 1 217.197.243.137 1 219.64.175.134 1 221.233.250.144 1 222.127.223.74 1 41.219.189.2 1 60.54.111.100 1 74.6.18.236 1 80.84.120.242 1 82.207.74.62 1 85.185.84.130 1 86.96.226.86 1 86.96.226.88 1 86.96.227.89 1 86.96.228.89 1 86.96.229.85 1 86.96.229.87 1 86.96.229.89 1 88.232.218.140 1 92.3.8.57 1 Address 1 servers) 2 119.152.252.62 2 122.160.18.44 2 122.166.88.60 2 124.124.171.235 2 125.162.169.254 2 195.93.21.35 2 202.53.8.51 2 203.98.112.189 2 38.98.19.67 2 74.6.8.105 3 116.71.74.208 3 123.239.17.28 3 124.29.231.212 3 125.162.42.144 3 125.20.82.135 3 195.229.237.37 3 202.125.143.76 3 59.103.155.65 3 59.164.32.40 3 59.92.71.24 3 71.189.207.249 3 74.6.17.179 3 86.96.226.84 3 91.124.109.184 4 196.218.253.133 4 59.93.171.25 4 66.249.65.11 4 66.249.66.114 4 77.247.174.103 5 117.96.32.81 5 118.94.101.163 5 121.96.212.160 5 127.0.0.1 5 202.148.22.131 5 38.98.19.66 5 38.98.19.68 6 117.200.160.237 6 119.30.65.232 6 195.229.235.36 6 218.208.246.209 7 119.152.252.113 7 212.62.97.21 7 41.221.16.217 7 78.59.192.230 7 78.86.116.39 8 71.49.166.226 10 121.246.205.238 10 61.8.73.27 10 85.236.143.227 11 116.71.217.13 11 121.247.21.176 11 125.164.252.242 13 122.164.175.113 13 59.164.101.143 14 122.168.221.130 14 217.219.226.194 15 61.68.35.71 16 218.248.65.82 17 124.217.84.180 18 202.125.143.77 19 59.99.80.252 20 88.241.148.37 24 220.245.180.139 25 59.95.21.78 30 210.4.56.80 48 125.163.74.72 if you see there is no such IP which is creating large amount of connection. but when i use the command netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort its showing that the under attack IP have 1000 connections can;t understand then why its not coming in the above command i.e. netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
well how i should see which IP is attacking? as the command netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n don't have any IP with large amount of connections, do u mean mod_security? if yes i have it already.
[root@server ~]# netstat -ntu | grep :80 | wc -l 980 [root@server ~]# netstat -s | grep "established" 141 connections established no i don't have mod evasive installed.
That doesnt seem bad at all, if its a DOS, its probably just a few IPs making a whole lot of requests. 141 concurrent is pretty typical. Do you have a software firewall installed (ie APF or CSF)? Hardened TCP settings?
My problem is been sorted out, so i feel its important to update this thread. Actually the problem was created because Mod_security was not properly installed. I re installed it and with in few minutes it start blocking Ips. everything seems to be perfect now. -Regards.