Strange DDoS attack
I'm having a strange DDoS attack launched against me. I was having a lot of attacks but my lsws/csf/synd config was always successfully blocked them.
Here is the problem. Via SSH I'm seeing about 100 ip's connected to the server, each of them has max 3 connections to the server(mostly only 1).
My lsws conf:
Static Requests/second: 10
Dynamic Requests/second: 2
Outbound Bandwidth (bytes/sec) 4k
Inbound Bandwidth (bytes/sec) 1k
Connection Soft Limit: 20
Connection Hard Limit: 40
Grace Period (sec) 100
Banned Period (sec): 5000
Max Connections: 1000
Connection Timeout (secs): 15
Max Keep-Alive Requests: 100
Smart Keep-Alive: No
Keep-Alive Timeout (secs): 5
Send Buffer Size (bytes): 0
Receive Buffer Size (bytes): 0
CSF is configured to block each IP with more than 30 connections to the server, synd(by nix101.com) is configured to block each IP with more than 10 SYN_RECV connections but it fails to block the DDoA attack which I'm getting in the last 3 days.
Most of IP addresses are unregistered, I checked at ripe.net and it says 1ANA, does it means an IP is unregistered. How could I block all 1ANA ip's?
Also, I'm not using mod_security at this time. Do I need to install mod_security and then add it into lsws/via lsws admin panel) or lsws has already mod_sec installed so I can just add it into lsws admin panel? All my vHosts are in lsws(not httpd.conf). What mod_security config should I use to block all connections from blank user-agents? If not mod_sec, is there a way to I can block them via htaccess?
I hope I will get some help here, this attacks makes me crazy already.
For this kind attack, each IP will not hit the limit in order to ban it.
you may have to do some access log analysis.
Say, find and block top 'n' IPs that access the same URL in the last 'n' minutes.
What's about mod_securing and blocking blank user agents?
How I can use mod_security with lsws(without apache and httpd.conf)?
A friend of mine got an interesting idea and I would like to know is it possible?
If I put the password at /home/mysite/public_html, would DDoS attack still affect it? Could someone confirm it?
To stop a DDoS attack, you have to some how identify the source of the attack, and block them at firewall.
|All times are GMT -7. The time now is 06:08 AM.|