About twelve years ago, I worked for a rather large regional Internet Service Provider as the Systems Administrator. My primary role as Systems Admin was to make sure that our fleet of equipment was in tip-top shape. One night, while backing up our customer service team, I sat in a cubicle waiting for folks to call in with various Internet technical problems. In between phone calls, I spent my time reading about a new kind of computer hack called a DDoS Attack. Back then, it seems that only the big boys like Microsoft & AOL were getting hit by these kind of attacks. Today, just about any server or computer connected to the Internet is vulnerable to DDoS attacks.
What is DDoS
Before one can stop a DDoS attack, one must know what DDoS is. “A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users…One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable (Source: Wikipedia).”
My VPS Server is under DDoS Attack, now what?
Why do you suspect that your server is under DDoS attack? One possible sign is that your server is running very sluggish for no apparent reason. Another possible sign is that your server has hundreds upon hundreds of Apache child processes open.
The following is a useful command that you can use to check and see if your server is under DDoS attack:
(Run this command by logging into your server as root)
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
The above command will list the top IP’s that are connected to the server. The following is a sample output of the above command:
1 192.168.0.1
1 192.168.02
5 192.168.0.10
8 192.168.0.24
9 192.168.0.25
15 192.168.0.26
25 192.168.0.27
30 192.168.0.29
39 192.168.0.32
100 192.168.0.50
210 192.168.0.55
359 192.168.0.31
In most cases, there is no reason for one individual IP address to be connected to your server 100, 210, or even 359 times! So let’s block these IP’s from accessing your server.
Firewall protection for cPanel Servers
- How to Install CSF Firewall- ReadyWire VPS servers come preloaded with CSF Firewall Protection. We LOVE CSF Firewall because you can manage it from within your WHM Control Panel. Just in case CSF Firewall isn’t installed on your machine, click here for click my click instructions.
- How to install APF Firewall- ReadyWire recommends this for customers who are comfortable with editing files at the command line (using SSH)
Now that your server has firewall protection, let’s learn bow to block the above IP’s that are connecting to your server more than 100 times.
- How to Block an IP using CSF Firewall
Login to WHM using your root password. In the left hand menu pane, scroll down to “ConfigServer Security&Firewall.” A new page will load. Look for the section that reads “Quick Deny.” Enter the first IP that you’d like to block in the text field and click “Quick Deny.” This IP address will be added to the blocked list instantly. If you’re comfortable with the command line interface, you can always enter the command “csf -d 10.10.10.10″ Of course, make sure to replace 10.10.10.10 with the IP address your trying to block. - How to Block an IP using APF Firewall
Blocking an IP with APF Firewall requires you to be logged in to the server via SSH.
1. Go to the path of APF (Typically cd /etc/apf).
2. Edit the file deny_hosts.rules (nano deny_hosts.rules)
3. Add the IP that you’d like to block to the list. Remember to save the file when finished.
4. Reload APF Firewall by typing command apf restart
If you’re still experiencing difficulty after blocking the offending IP’s using a software based firewall application, it might be time to call for help.In my experience, most hosting companies are more than willing to help you get rid of pesky DDoS attacks. However, not all data centers are ready to simply block traffic from flowing through their pipes. It might cost you a few pennies, but consider adding a hardware firewall to the mix. Another thing to try is to install a script that will automagically search for offending IP’s. Click here for an example of such a script.
If you’re a ReadyWire customer and would like some one-on-one assistance, please do not hesitate to open a support ticket by visiting https://secure.readywire.com/. If you would like to learn how to become a ReadyWire customer, please visit our home page.
Rick Hall
Senior VP of Operations
ReadyWire Multimedia Solutions
January 23rd, 2009 at 1:57 pm
Perfect! , nice how-to and thanks!
March 23rd, 2009 at 4:13 am
Hi,
nice tutorial !!!
August 22nd, 2009 at 3:59 am
He got a qeustion, i am form Holland(europe).
A frend of my having problems, he is member of a site, and resently from his ip, someone womething did a ddos attack on they site he is member on.
He wasent home but pc was running when he comes home he got a mail thats his ip send 23000 reqeust in 1 our.But my frend was not home at that time.No he got banned and a lawsuit awaiting him.
But how this happend me and my frend dont know, i am good in OVerclocking building and modding an some basic windows stuff. same as my frend, how he can tell ore find out whats happening from his ip, it not him even msn mail is not oke when working people see him comes online and go again, when he is at work?
I am totaly lost goes behond my skilss. some can help me please .
Got a Hijackthis log i make some tells me,,i post it to i dont know what to look for.
August 22nd, 2009 at 4:05 am
Log is bigger can post all, if want can mail it.
Sorry for that, also sorry for crappy english writing, speek i can but writing some times suck.
October 19th, 2009 at 6:04 pm
Hi Rudd,
What a mess! I’m sorry to hear what you and your friend are going through. Your best bet is going to be to run a basic virus scan on your computer to ensure that it’s not infected with anything. All in all, it may not even be a bad idea to consider reloading windows on your computer.
Best of luck!
January 16th, 2010 at 8:08 am
If it is a wireless connection to internet then someone could be on that ip using a different computer.