DDoS Question

[grniyce]

If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.

[-KaaL-]

Quote:

Originally Posted by grniyce

If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.

The problem that i face is all time i google, what i get is of cPanel/WHM.. not much for DA
so im also like you all alone..the hard way..
Still learning each day something or the other ..

Code:

===============================================
THIS IS THE FIRST TYPE ...
===============================================

POST /newreply.php?do=postreply&t=758 HTTP/1.1
Host: somedomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://somedomain.com/showthread.php?p=59668
Cookie: [Cookie....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 382
-----------------------------------------------
HTTP/1.1 403 Forbidden
-----------------------------------------------
Message: [client <CLIENT.IP.ADDRESS>] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/' '(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)'] [severity "WARNING"]

===============================================
2nd ERROR TYPE
===============================================

GET /some/image/sample.gif HTTP/1.1
Host: <CLIENT.IP.ADDRESS>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.somedomain.com.com/index.php?showtopic=19815
Cookie: <COOKIE>
------------------------------------------------
HTTP/1.1 400 Bad Request
------------------------------------------------
Message: [<CLIENT.IP.ADDRESS>] mod_security: Access denied with code 400, [Rule: 'REQUEST_HEADERS:Host' '^[\d\.]+$'] [ID "960017"] [Msg "Host header is a numeric IP address"] [severity "CRITICAL"]

[grniyce]

in your /usr/local/apache/mod_sec user.conf or mod_sec_user2.conf one of those files in there you will see the same rule sets that are causing those errors. Remove those two and everything will work fine. The additional mod_security rules you implemented in the modsecurity and modsecurity.d folder are more comprehensive. Then restart httpd and you should be fine.

[-KaaL-]

I am scanning throu all the txt files to remove those rules..
in the mean time this is the stats of an attack i just experienced.
The site went slow...



the setting i kept is
Static Requests/second : 15
Dynamic req/sec : 5
Connection Soft Limit : 50
Connection Hard Limit : 80
Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 100
Keep-Alive Timeout (secs) : 3

Mod_Sec was off at this time thou.. as it was causing problems.. but as i remove those rules, i'll test it with Mod_Sec On.

[-KaaL-]

Today I experienced an attack..

the error people get when visiting site was

Code:

408 Request Time-out This request takes too long to process, it is timed out by the server. 
If it should not be timed out, please contact administrator of this web site to increase 'Connection Timeout'

I hardened the settings as given before. But no use.
Where can I see logs like the one mod_status gives in LiteSpeed?

[anewday]

Try increasing Connection Timeout (secs) to 40. Do you mean the mod_status in Apache?

[-KaaL-]

Quote:

Originally Posted by anewday

Try increasing Connection Timeout (secs) to 40. Do you mean the mod_status in Apache?

I was getting tht error while server was getting DDoSed..
so increasing tht would just ease the protection rite?

And i have put the setting you said earlier.. but this is not helping me against attack..

Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

and yes im talking about the mod_status of apache.. can it work with litespeed? Because i am not getting a log of who are visitng and their Request details on LiteSpeed.

[anewday]

Yeah since you said people are seeing that error. But since your server is not hitting the max connections, it should be fine to ease a bit. Try setting static requests to 5 and dynamic to 1.

Litespeed doesn't have mod_status like Apache but they are working on it for version 4.2. You can just grep the domain access logs for now.

[anewday]

During the attack, run this command and paste it here.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

[Bob.]

Quote:

Originally Posted by -KaaL-

I was getting tht error while server was getting DDoSed..
so increasing tht would just ease the protection rite?

And i have put the setting you said earlier.. but this is not helping me against attack..

Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

and yes im talking about the mod_status of apache.. can it work with litespeed? Because i am not getting a log of who are visitng and their Request details on LiteSpeed.

Why not set the outbound bandwidth/inbound bandwidth settings? Something like 300K outbound and 10K inbound should do. When under attack you'll also want to lower dynamic requests/second to 1 and connection soft/hard limit to around 10/20. All your other settings look fine during an attack.

Also as previously mentioned in this thread you'll want to install CSF and use it's connection tracking feature. Based on that graph you posted you should have no problem mitigating that attack with a properly tuned LSWS + CSF setup, assuming you have enough resources and a 100mbit pipe to work with.