Find the answer to your Linux question:
Results 1 to 4 of 4
Hello, i have Node where im creating virtual machines using OpenVZ hypervisor. One VPS got DDoSed according to my client and really, the node server load went to 50.0 from ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie postcd's Avatar
    Join Date
    Apr 2011
    Posts
    235

    DDoS, basic question how to mitigate by network


    Hello,

    i have Node where im creating virtual machines using OpenVZ hypervisor.

    One VPS got DDoSed according to my client and really, the node server load went to 50.0 from 1.0, when i disconnect IP from VPS, load goes down.

    Load is from 1 to 50 within around 5 minutes

    within this time i managed to stop mysqld, httpd and bind

    but load on main node server did not went down

    Please any ideas how to quickly realise what is the target of attack and prevent overload?

  2. #2
    Just Joined!
    Join Date
    Dec 2008
    Location
    Berlin Germany
    Posts
    4

    Things to do..

    Hi,

    If your node is still running:

    1. login over ssh as a user
    2. then sudo | su to root account
    3. call top utility to see what services are under the most strain.

    # top

    -then count to 10 and look at the top of the process list.


    4. look at the log files of your service under the ddos attack,
    it would be the one that has the most strain

    should it be the database, think of through what other service can it be reached? - most often its your web server
    or mail server ifr you use a database as a backend, then look in the logs of this services.

    You will need to look for the same IP address that constantly asks for something, very constant, many of times, almost constantly now, or a group of IPs.

    Be carefull that its not your own IP otherwise you will loose the connection to our host yourself!

    then set the firewall policy for the found IP addresses to DROP.

    //sbin/iptables -I INPUT -s {IP-of-THE-ATTACKING-HOST-HERE} -j DROP

    like: /sbin/iptables -I INPUT -s 1.2.3.4 -j DROP



    That should stop the DDOS atack.

    !!!! Be outmost carefull that your own IPs won't be among those you are locking off !!!!


    ----

    Should your container under attack won't be accessible anymore, stop your container over the openvz comandline, or the proxmox interface. Then change to your /var/lib/vz/root/<Nr of your Container>/ directory and look through the log files in the ./var/log/ directory find out what addresses were attacking you and set them into the firewall nirvana.

    Take care in the future and set up the fail2ban utility to do such things for you in the future.

    P.S.: Should the attaking address be your own, look if you have started some service that was accidentially miskonfigured before.
    ||
    vvv
    How Do I View Blocked IP Address?

    Simply use the following command:
    # /sbin/iptables -L -v
    OR
    # /sbin/iptables -L INPUT -v
    OR
    # /sbin/iptables -L INPUT -v -n



    Quote Originally Posted by postcd View Post
    Hello,

    i have Node where im creating virtual machines using OpenVZ hypervisor.

    One VPS got DDoSed according to my client and really, the node server load went to 50.0 from 1.0, when i disconnect IP from VPS, load goes down.

    Load is from 1 to 50 within around 5 minutes

    within this time i managed to stop mysqld, httpd and bind

    but load on main node server did not went down

    Please any ideas how to quickly realise what is the target of attack and prevent overload?

  3. #3
    Linux Newbie postcd's Avatar
    Join Date
    Apr 2011
    Posts
    235
    Thank You alot for usefull info.
    I bookmarked some of Your TIPs. Currently, attack stopped.

    I think node server load increased even when VPS was restarted and http, mysql, named stopped. Only disconnecting IP from VPS stopped the attack.

    At least now i know how to ban IPs. Only one big file i found was /var/log/messages which had around 200MB of data., but i did not found anything similar to many ip requests or such...

    Config server firewall dont works on my node, it does something wrong with DNS, because all VPSs websites stops working when i enable CSF.

    ---
    there must be some simple linux tool which blocks excesive Ip requests. i tried that DDOS evasive, but as said it did not blocked IPs or there was no load decrease. im unsure if it worked.

  4. #4
    Just Joined!
    Join Date
    Dec 2008
    Location
    Berlin Germany
    Posts
    4
    I've never worked within CSF cluster, cannot help you there.

    Just a thought as an outsider. You could perhaps set yourown, DNS server listening on another vitrtual network interface for the DNS requests, that wouldn't be a member of the CSF - Cluster.

    You could use it internally on the actual host then, for your DNS resolution with the services (like www and such like) that shouldn't be engaged in CSF.

    Another thought your DDOS might come from within your own cluster... but you should ask the CSF Specialists about how you set your name resolution within the cluster, or how you mmight use your firewall within it, if its even possible..?.

    on their page there is an email addres at http -colon//- ri.itservices.manchester.ac.uk/csf/

    perhaps you can reach them there.

    Good luck.





    Quote Originally Posted by postcd View Post
    Thank You alot for usefull info.
    I bookmarked some of Your TIPs. Currently, attack stopped.

    I think node server load increased even when VPS was restarted and http, mysql, named stopped. Only disconnecting IP from VPS stopped the attack.

    At least now i know how to ban IPs. Only one big file i found was /var/log/messages which had around 200MB of data., but i did not found anything similar to many ip requests or such...

    Config server firewall dont works on my node, it does something wrong with DNS, because all VPSs websites stops working when i enable CSF.

    ---
    there must be some simple linux tool which blocks excesive Ip requests. i tried that DDOS evasive, but as said it did not blocked IPs or there was no load decrease. im unsure if it worked.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •