Knowledgebase

Portal Home > Knowledgebase > Articles Database > is this DDOS ?


is this DDOS ?




Posted by webhostbeginner, 01-25-2008, 11:37 AM
hello, one user trying to send GET command to our server , when I viewing Apache Status in WHM I found about 100 connection from one IP (requestet none page only show GET / HTTP/1.0) , is this DDOS attack? How can I drop this request?
Posted by webhostbeginner, 01-25-2008, 11:38 AM
oh I forgot to say I have APF Firewall too
Posted by Lightwave, 01-25-2008, 11:52 AM
It's not a DDoS attack. A "GET /" is a very normal thing. That it's using HTTP/1.0 and not HTTP/1.1 is a tiny bit unusual. But, it's not likely anything to worry about.
Posted by whmcsguru, 01-25-2008, 12:10 PM
100 connections from any ip address, most definitely something to be concerned about. I'd adjust your ddos protection in APF, or use a better system to handle ddos.
Posted by Blesta-Paul, 01-25-2008, 03:25 PM
apf -d IP-Address .. to kill those connections first, then look into a more preventative solution.
Posted by webhostbeginner, 01-26-2008, 08:58 AM
how can I handle this problem ?
Posted by david510, 01-26-2008, 09:08 AM
You can install dos_evasive to limit the number of IP connections per host. Install this if you see a large number of similar connections. This may block legitimate requests if you keep the limit low.
Posted by webhostbeginner, 01-26-2008, 04:25 PM
thank yo David510 Where I can download this program ?
Posted by Ben James, 01-26-2008, 04:31 PM
just google it im sure you will find a download link
Posted by webhostbeginner, 01-27-2008, 04:20 PM
Yes, I searched before ask but the first result is a topic in webhostingtalk : http://www.webhostingtalk.com/showthread.php?t=387833 and don't help me this link. isearched for "dos_evasive"
Posted by xxen, 01-28-2008, 04:26 AM
this is most likely a HTTP flood attack, if you have a big business you should think about getting professional help to better secure your network.
Posted by webhostbeginner, 01-28-2008, 02:13 PM
I Banned the IP of that user, but he changed the IP and I cannot ban all IPs, please help me
Posted by unixcares, 01-28-2008, 02:32 PM
Hi, If you are using a cPanel server its always better to use csf/lfd firewall. It offers simple and good protection against DOS attack. Connection Tracking option in csf enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value "CL_LIMIT" then the offending IP address is blocked. This can be used to help prevent some types of DOS attack. Care should be taken with this option. It's entirely possible that you will see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD and HTTP so it could be quite easy to trigger, especially with a lot of closed connections in TIME_WAIT. However, for a server that is prone to DOS attacks this may be very useful. A reasonable setting for this option might be around 200. To disable this feature, set this to 0 CT_LIMIT = "200" Best regards,
Posted by viettechorg, 01-28-2008, 06:26 PM
So does the DOS overload your server? for example if the load is very high? If not there is may be your visitors's ISP is using NAT IP, which means all share few IP, so many people would have the same IP address.
Posted by webhostbeginner, 01-29-2008, 05:34 AM
Thanks But I use APF Firewall, so should I uninstall APF ?
Posted by webhostbeginner, 01-29-2008, 05:36 AM
Yes the server load goes to upper than 100 !
Posted by webhostbeginner, 01-30-2008, 04:43 PM
hello? any body there?
Posted by VIETHOSTING, 01-30-2008, 05:15 PM
Install CSF from http://configserver.com/cp/csf.html OR try this: http://deflate.medialayer.com/old/
Posted by unixcares, 01-30-2008, 05:25 PM
Hi, You need to check the number of simultaneous connections to port 80 from an IP. You can easily check it using the following one line script. netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 If number of connections more than 50 please block it. in apf the following command will block ip.address apf -d ip.address in csf the following command will block ip.address csf -d ip.address You can install csf by performing the following steps. Installation is quite straightforward: rm -fv csf.tgz wget www[dot]configserver[dot]com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh If you would like to disable APF+BFD (which you will need to do if you have them installed otherwise they will conflict horribly sh disable_apf_bfd.sh That's it. You can then configure csf and lfd in WHM, or edit the files directly in /etc/csf/* csf is pre-configured to work on a cPanel server with all the standard cPanel ports open. For more details please have a look into following url: configserver[dot]com/cp/csf.html


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
whm-host.com - Any Problem? (Views: 705)
Advice on SSL choice (Views: 668)
Hosting for MYSQL Database with 400 plus threads (Views: 664)
htaccess redirect from .net to .com (Views: 650)
Don't believe ----- netrillium.net (Views: 707)

Language: