Thursday, 9 August 2012

DDOS

DDOS ATTACK

QUICK SOLUTION TO DOS ATTACK
==========================
‘Check list for DOS attack’

1.How to find DOS attack on the server
#pidof httpd

if you find more than 5 rows of PID from above command result, you can suspect there is DOS attack in the server.

2. Run the below script to confirm the DOS attack.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

you can find high hit from different IPs.

3. Now we have to find , on which are the domain, DOS attack is happening.
cd /usr/local/apache/domlogs/
ls -ltr |tail -50

(it will list the TOP 50 domains which are in high access).

4.Now, Run the following command to know the IPs which is hitting the particular domain..
tail -f domainname | awk {'print $1'}

5. If the hit is coming from same IP, we can block only those IP. if hit is from different ranges of IP, we have to suspend the account or can block the range of IPs.
================================
HOW CAN DDOS ATTACK CAN BE PREVENTED.
=================================
Step 1: If there are no firewalls installed on the server please install the same, you will get the steps and directions from the following site.

http://www.webhostgear.com/61.html

2) Turn on the antidos option (USE_AD) in the APF conf file
# vi /etc/apf/conf.apf
USE_AD = 1

Step 2 : Install/Configure mod_evasive (for Apache 1.3x)
mod_evasive and mod_dosevasive are the same

a) Install mod_evasive
# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart

b) Also include the following lines in the apache conf file
# vi /usr/local/apache/conf/httpd.conf
————————————————-
<IfModule mod_evasive.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
</IfModule>
————————————————-

c) Restart the webserver
# /etc/init.d/httpd restart

Step 3 : Install mod_security
Normally we can find/install this module from WHM
WHM >> cPanel >> Addon Modules >> Select “modsecurity ” >>save

Step 4 : Blocking IPs
a) Find the IPs those have established a connection with the server
(The following command is the better one to get the IPs, as this will sort the IPs according to the number of connections).

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

b) Block them using IPTABLES
# iptables -I INPUT -s IPADDRESS -j DROP
# service iptables save
# service iptables restart

c) Block them on APF too
# vi /etc/apf/deny_hosts.rules
<Add the IPs at the end>
# service apf restart

Step 5 : Optimizing the httpd.conf file

# vi /usr/local/apache/conf/httpd.conf
Change the bellow options as follows, original values are shown in the bracket.
MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)

Also edit the following options too, according to the situation.
Timeout
KeepAlive
MinSpareServers
MaxSpareServers
MaxClients

Step 6 : Install/Configure 3rd party DDOS prevention tools
We can also use the most trusting 3rd party script ‘DDoS-Deflate’ for preventing DDOS attack effectively.
Steps to install this script are as follows.

# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh

Add the script ‘/usr/local/ddos/ddos.sh’ to the cron, so that this will run every 5 minutes.
# crontab -e
*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1

Step 7 : Suspend websites

Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a while

PERMANENT WAY TO FIX THE DDOS ATTACK
=================================
As we all know the softwares have its own limitations for preventing against DDOS attack, we can follow these steps to cure it permanently.

1. Ask the NOC for attaching Cisco Guard on the server for 24 hours (Normally this service is free from most NOCs)

2. Attach a hardware firewall for the server.
Hope this will help you in such a situation

No comments:

Post a comment

Note: only a member of this blog may post a comment.