Dear community,
my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql.
I identified the IPs who attack me and block it through iptable firewall from debian.
Something like:
This works perfect, but the attacker just completely change the IP addresses.
What I'm thining to do is create a rules with iptables who accept a total ammount of requests from the same IP and the DROP if the ammount is exceeded. Something like:
The problem here is maybe I miss something because if I refresh the webpage 6/7 times it just drop me the other requests. Maybe I don't understand how "--seconds 60 --hitcount 10" works.
Could you please help me to create a rules to try to block new requests if they come togheter at the same time like an attack?
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
It's hard to use iptables effectively to mitigate an DDOS attack with changing IP addresses.
Most attackers easily change IP addresses; but they forget to change the User Agent string, so it's often easier to block the hackers User Agent string. Did you do any analysis on the UA strings?
Also, if you are using Apache2, there may be an anti-DDOS module, as I recall.
Is the server overloaded, so you need to stop the DDOS before it gets to the server? You could potentially throttle concurrent connections upstream at your firewall, assuming you have one upstream of your server.
If you have something less public (for your use only) - you could try security by obscurity, and move the port you've exposed your apache server on (move it from TCP port 80/443 to 90/7443 or something). If it isn't a managed DDOS, the bots won't generally find you again. To use it, the url becomes site:90/path It's an emergency workaround, but probably not a good long-term fix.
Last edited by rbatte1; 01-05-2015 at 09:21 AM..
Reason: Set LIST=a tags to format the list better
Hi guys, just need a opinion from you.
I found anti ddos script from github
Script
What is your opinion about it? Is it usefull? Do you have some similar? I want to protect my servers on all levels, why not in the servers via script.
I assume I must fix this script to be useful for me, but... (1 Reply)
In my logs I find entries about attacks on my system. I know IP addresses, I know date and time and I know what they tried to do. So what's the best I can do now? Tell everybody that there are cybercriminals on that network? Write an email to their admin? Anything else? (10 Replies)
heloo
today i have DDos Attack in my server
what is the better way to secure my server from DDos Attack
i use CentOS 4&5
i try every firewall and talk to softlayer - iweb i've Tried every possible solutions but I can not find a solution to the problems
Give Me The best way plzz (4 Replies)