Preventing DOS

**vzmule** · August 13th, 2004, 03:40 PM

I was recently DOSd. I was being hammered by 2 servers constantly.

I upgraded apache, ftp, php, mysql, ssh, etc and blocked the two IPs the attack was coming from using iptables.

I've been fine since, but was looking for input on preventing it from happening again.

Here is a snippet from the access log:

Code:

66.139.79.12 - - [09/Aug/2004:18:41:41 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:18:41:42 -0400] "GET /memberlist.php HTTP/1.0" 206 28949 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:18:41:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:50 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:59 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:57 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:24 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:28 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:31 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:33 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:39 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:40 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:42 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:43 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:45 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:46 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:48 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:49 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:51 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:52 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:54 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:56 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:57 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:59 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:00 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:02 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:03 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:05 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"

***chsh*** · August 13th, 2004, 04:43 PM

That's a script-based DoS -- an issue with script load using the resources available to your hardware. You could put a limit on how many hits go to a specific page, limit concurrent incoming connections, get faster/better hardware, or try and make the script as lean as possible. There are lots of possible ways to stop this type of attack.

Just FYI, this is rather primitive, and likely wouldn't work if the script was very simple.
It also took very little to launch:
while true; do wget --spider www.yoursite.com/memberlist.php ; done

**cyclops07** · August 14th, 2004, 06:11 AM

Installing firewall..
Try having a firewall script - which preventing DDOS attack from happening..

but i aint sure if this is the most appropriate action to be taken though..
ppls here might have better alternatives..

***thehorse13*** · August 14th, 2004, 11:01 PM

Yes, as chsh has noted there are many ways to stop this. The quickest is to blackhole the traffic coming from those IP addresses via router or FW ACLs. The second, fire up httpd.conf and look for the configs for limiting access. Offhand, I can't remember the actual lines but they are there.

**thread_killer** · August 15th, 2004, 01:22 AM

Well, I'm a WAN guy, so I always look to do it in hardware. Let the servers do what their supposed to do and never let the bad stuff get to it. What kind of data devices are you using? Switches, routers, firewalls, traffic-shapers, et cetera?

Thread: Preventing DOS

Thread Tools

Display

Preventing DOS

Posting Permissions