DDoS Question

Discussion in 'General' started by -KaaL-, Jun 25, 2009.

  1. grniyce

    grniyce New Member

    If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.
    Last edited: Jul 1, 2009
  2. -KaaL-

    -KaaL- New Member

    The problem that i face is all time i google, what i get is of cPanel/WHM.. not much for DA
    so im also like you all alone..the hard way..
    Still learning each day something or the other ..

    Code:
    ===============================================
    THIS IS THE FIRST TYPE ...
    ===============================================
    
    POST /newreply.php?do=postreply&t=758 HTTP/1.1
    Host: somedomain.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://somedomain.com/showthread.php?p=59668
    Cookie: [Cookie....]
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 382
    -----------------------------------------------
    HTTP/1.1 403 Forbidden
    -----------------------------------------------
    Message: [client <CLIENT.IP.ADDRESS>] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/' '(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)'] [severity "WARNING"]
    
    ===============================================
    2nd ERROR TYPE
    ===============================================
    
    GET /some/image/sample.gif HTTP/1.1
    Host: <CLIENT.IP.ADDRESS>
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
    Accept: image/png,image/*;q=0.8,*/*;q=0.5
    Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://www.somedomain.com.com/index.php?showtopic=19815
    Cookie: <COOKIE>
    ------------------------------------------------
    HTTP/1.1 400 Bad Request
    ------------------------------------------------
    Message: [<CLIENT.IP.ADDRESS>] mod_security: Access denied with code 400, [Rule: 'REQUEST_HEADERS:Host' '^[\d\.]+$'] [ID "960017"] [Msg "Host header is a numeric IP address"] [severity "CRITICAL"]
    
    
  3. grniyce

    grniyce New Member

    in your /usr/local/apache/mod_sec user.conf or mod_sec_user2.conf one of those files in there you will see the same rule sets that are causing those errors. Remove those two and everything will work fine. The additional mod_security rules you implemented in the modsecurity and modsecurity.d folder are more comprehensive. Then restart httpd and you should be fine.
  4. -KaaL-

    -KaaL- New Member

    I am scanning throu all the txt files to remove those rules..
    in the mean time this is the stats of an attack i just experienced.
    The site went slow...

    [​IMG]

    the setting i kept is
    Static Requests/second : 15
    Dynamic req/sec : 5
    Connection Soft Limit : 50
    Connection Hard Limit : 80
    Max Connections : 900
    Connection Timeout (secs) : 15
    Max Keep-Alive Requests : 100
    Keep-Alive Timeout (secs) : 3

    Mod_Sec was off at this time thou.. as it was causing problems.. but as i remove those rules, i'll test it with Mod_Sec On.
  5. -KaaL-

    -KaaL- New Member

    Today I experienced an attack..

    the error people get when visiting site was

    Code:
    408 Request Time-out This request takes too long to process, it is timed out by the server. 
    If it should not be timed out, please contact administrator of this web site to increase 'Connection Timeout'
    I hardened the settings as given before. But no use.
    Where can I see logs like the one mod_status gives in LiteSpeed?
  6. anewday

    anewday Moderator

    Try increasing Connection Timeout (secs) to 40. Do you mean the mod_status in Apache?
  7. -KaaL-

    -KaaL- New Member

    I was getting tht error while server was getting DDoSed..
    so increasing tht would just ease the protection rite?

    And i have put the setting you said earlier.. but this is not helping me against attack..

    Static Requests/second - 10
    Dynamic Requests/second - 2
    Outbound Bandwidth (bytes/sec) - 0
    Inbound Bandwidth (bytes/sec) - 0
    Connection Soft Limit - 20
    Connection Hard Limit - 30
    Grace Period (sec) - 30
    Banned Period (sec) - 3600

    Max Connections : 900
    Connection Timeout (secs) : 15
    Max Keep-Alive Requests : 90
    Smart Keep-Alive : Yes
    Keep-Alive Timeout (secs) : 3

    and yes im talking about the mod_status of apache.. can it work with litespeed? Because i am not getting a log of who are visitng and their Request details on LiteSpeed.
    Last edited: Jul 3, 2009
  8. anewday

    anewday Moderator

    Yeah since you said people are seeing that error. But since your server is not hitting the max connections, it should be fine to ease a bit. Try setting static requests to 5 and dynamic to 1.

    Litespeed doesn't have mod_status like Apache but they are working on it for version 4.2. You can just grep the domain access logs for now.
  9. anewday

    anewday Moderator

    During the attack, run this command and paste it here.

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  10. Bob.

    Bob. New Member

    Why not set the outbound bandwidth/inbound bandwidth settings? Something like 300K outbound and 10K inbound should do. When under attack you'll also want to lower dynamic requests/second to 1 and connection soft/hard limit to around 10/20. All your other settings look fine during an attack.

    Also as previously mentioned in this thread you'll want to install CSF and use it's connection tracking feature. Based on that graph you posted you should have no problem mitigating that attack with a properly tuned LSWS + CSF setup, assuming you have enough resources and a 100mbit pipe to work with.
  11. -KaaL-

    -KaaL- New Member

    Hi Bob,

    I have noted those settings and will do that incase of a DDoS Attack.

    Also I have CSF installed on my server.
    Here are the settings related to Connection Tracking..

    Code:
    CT_LIMIT  = 200
    CT_INTERVAL = 30
    CT_EMAIL_ALERT = 1
    CT_PERMANENT = 0
    CT_BLOCK_TIME = 1800
    CT_SKIP_TIME_WAIT = 0
    CT_STATES =
    CT_PORTS = 
  12. Bob.

    Bob. New Member

    During an attack you'll want to lower CT_LIMIT down to around 100, but if you set it to anything lower than that you'll probably begin to see false positives. You can use the "netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr" command to help you fine tune the limit. I would also enable permanent bans by setting CT_PERMANENT to 1 and set CT_STATES to ESTABLISHED,NEW. If you wanted to 'loosen' things a bit when your not under attack I would raise CT_LIMIT back up to 200 and disable permanent banning (so if a legitimate user does happen to get picked off, they do not have to contact you to get the block lifted) - once again reducing the risk of false positives.
  13. grniyce

    grniyce New Member

    [​IMG]

    [​IMG]

    CSF Settings:
    - 125 every 15 seconds (make perm or make temp 3600 seconds)
    - turn off syn flood protection in csf as LSWS settings above work better
  14. anewday

    anewday Moderator

    10 is too high for dynamic req/s.
  15. grniyce

    grniyce New Member

    I was told to setup the dynamic req/sec to (one for every 256mb of ram)? What would you suggest?
  16. anewday

    anewday Moderator

    I set mine at 2 and no one on my forum ever complained of getting 503 error due to that.
  17. -KaaL-

    -KaaL- New Member

    Till now server seems to be running smoothly.. thanx to all who replied.

    Will installing mem_cache further strenthen the server or does LiteSpeed already have some inbuilt functions to take care of it ?

Share This Page