how do i stop a ddoss on my server? - GoFuckYourself.com

Chris · 05-30-2006, 05:10 PM

my host doesnt have a listed phone number

submited a support ticket nothing

netstat in ssh is going nuts

Code:

rver.jupzchris.com:http pool-71-115-29-71.sbn:50712 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http cpe-65-24-245-137.insi:1957 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http 209-192-108-106.knolog:2554 TIME_WAIT
tcp      717      0 myserver.jupzchris.com:http CPE-24-163-223-59.mn.:50043 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http c-68-42-167-215.hsd1.:32920 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http kgldgaambas03-pool1-a1:2519 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http cpe-65-24-245-137.insi:1958 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http adsl-68-74-156-94.dsl.:1202 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http railroadpa-bsr1_eycb01:3184 TIME_WAIT
tcp      436      0 myserver.jupzchris.com:http pool-71-124-140-64.bst:1419 ESTABLISHED
tcp      549      0 myserver.jupzchris.com:http pool-68-236-251-45.ha:50177 CLOSE_WAIT
tcp      549      0 myserver.jupzchris.com:http pool-68-236-251-45.ha:50178 CLOSE_WAIT
tcp        0      0 myserver.jupzchris.com:http NLV-Webproxy06.direcpc:8730 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http cpe-72-231-128-226.nyc:2940 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http c-67-184-145-213.hsd1:62212 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http 12-207-198-30.client.m:2835 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http kgldgaambas03-pool1-a1:2543 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http pool-71-115-29-71.sbn:50732 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http cpe-72-231-128-226.nyc:2938 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http kgldgaambas03-pool1-a1:2539 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http kgldgaambas03-pool1-a1:2535 TIME_WAIT
tcp        0      0 myserver.jupzchris.com:http 72.146.47.71:1520           ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http ftcl002.digis.net:2238      ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http 69.76.34.36:4700            ESTABLISHED
tcp      388      0 myserver.jupzchris.com:http 68-119-124-170.dhcp.jc:4424 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http 207-224-12-96.clsp.qw:62363 FIN_WAIT2
tcp        0      0 myserver.jupzchris.com:http dialup-4.155.12.222.Di:4001 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http 72.146.47.71:1518           ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http c-67-176-253-223.hsd1.:1144 ESTABLISHED
tcp        0      0 myserver.jupzchris.com:http c-67-181-48-18.hsd1.c:57989 FIN_WAIT2

anything i can do to my server until my host gets around?

i am pinging

C:\DOCUME~1\CHRIS>ping jupzchris.com

Pinging jupzchris.com [216.66.19.200] with 32 bytes of data:

Reply from 216.66.19.200: bytes=32 time=73ms TTL=50
Reply from 216.66.19.200: bytes=32 time=71ms TTL=50
Reply from 216.66.19.200: bytes=32 time=71ms TTL=50
Reply from 216.66.19.200: bytes=32 time=96ms TTL=50

Ping statistics for 216.66.19.200:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 71ms, Maximum = 96ms, Average = 77ms

so he sint doing a very good job
just making my server sloww

wdsguy · 05-30-2006, 05:12 PM

you can't find a telephone number for your host? wtf

iTEAM · 05-30-2006, 05:15 PM

I can help if you want.

Chris · 05-30-2006, 05:18 PM

Quote:

Originally Posted by wdsguy

you can't find a telephone number for your host? wtf

the only number i have im getting no answer at

BradM · 05-30-2006, 05:19 PM

Do you have root and ssh to the machine?

bringer · 05-30-2006, 05:20 PM

shut down your httpd

mOrrI · 05-30-2006, 05:20 PM

Bump for u :D

iTEAM · 05-30-2006, 05:21 PM

In SSH what does this command tell you?
ps -aux | grep httpd | wc -l; netstat -na | grep :80 | wc -l;uptime

Chris · 05-30-2006, 05:43 PM

root@myserver [~]# ps -aux | grep httpd | wc -l; netstat -na | grep :80 | wc -l;uptime 152
461
19:43:18 up 23 days, 22:46, 1 user, load average: 0.00, 0.00, 0.00

its a new server so no traffic on it

SplitInfinity · 05-30-2006, 05:55 PM

Chris, hit me up on AIM, I will help U bro.

Run this command for now:
netstat -an|grep SYN|gawk '{print $5}' | gawk -F. '{print "iptables -A INPUT -j DROP -s "$1"."$2"."$3".0/24 -d 0/0 -p all"}'

After you run that (paste it into shell on one line) copy all the iptables lines out of the results and paste them back into the command line.
That will block out the spoofed ip's they are using from hitting you.

Also, type (copy/paste) this stuff, line by line into ssh:

# Tune File Swappiness down a bit to reduce swap thrashing
echo 40 > /proc/sys/vm/swappiness

# Turn on tcp_syncookies - VERY IMPORTANT to stop DDoS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Turn on Source Address Verification
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack

#the number of TCP SYN packets that the server can queue before SYNs are dropped
sysctl -w net.ipv4.tcp_max_syn_backlog=30000
#Increase the number of connections that are allowed in TIME-WAIT state
sysctl -w net.ipv4.tcp_max_tw_buckets=2000000
#Configure parameters to set the length for the number of packets that can be queued in the network core
sysctl -w net.core.netdev_max_backlog=50000
#TCP WINDOW SIZE
sysctl -w net.core.rmem_max=16777216
sysctl -w net.core.wmem_max=16777216
sysctl -w net.ipv4.tcp_rmem="500000 1000000 16777216"
sysctl -w net.ipv4.tcp_wmem="500000 1000000 16777216"
#KERNEL TUNES
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.ipfrag_time=15
sysctl -w net.ipv4.tcp_ecn=0
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syn_retries=3
sysctl -w net.ipv4.tcp_synack_retries=3
sysctl -w net.ipv4.tcp_keepalive_probes=7
sysctl -w net.ipv4.tcp_orphan_retries=5

#IPTABLES SYN PROTECTION - MODIFY THE BELOW to MATCH YOUR SERVERS IP's
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp --tcp-option 64 -j DROP
iptables -A INPUT -p tcp --tcp-option 128 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp -d 38.96.5.146 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp -d 38.96.5.147 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp -d 38.96.5.148 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#ANTISPOOFING
for a in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $a done

#NO SOURCE ROUTE
for z in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $z done

#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

SplitInfinity · 05-30-2006, 05:55 PM

Cancel that box and grab one over here with me, I'll tune it right for ya!

SplitInfinity · 05-30-2006, 05:56 PM

Oh, also, suggestion:

install mod_evasive into apache... that helps stop these in real time.

SplitInfinity · 05-30-2006, 05:58 PM

Oh, and your host's phone number and email is:

Phone: +1.5203232533
Email Address: [email protected]

SplitInfinity · 05-30-2006, 05:58 PM

You are hosting with an he.net reseller (Hurricane Electric)

SplitInfinity · 05-30-2006, 05:59 PM

Anyone else need help like this? Hit me up on AIM: NJesterIII

SplitInfinity · 05-30-2006, 06:00 PM

SplitInfinity · 05-30-2006, 06:01 PM

Deputy Chief Command · 05-30-2006, 06:10 PM

Quote:

Originally Posted by SplitInfinity

super DUMB admin ?

way to go!

directfiesta · 05-30-2006, 06:14 PM

server response looks ok.

a DDOS, you couldn`t even connect to it...

Looks like a port scan ....

nico-t · 05-30-2006, 06:15 PM

Quote:

Originally Posted by Deputy Chief Command

super DUMB admin ?

way to go!

lol......

x3guide · 05-30-2006, 06:19 PM

format c:

or in this case: rm -rf *

SplitInfinity · 05-30-2006, 06:24 PM

Thats like that intentionally because were changing the way things work on our site :-) Thanks for pointing it out though. New site will launch with new certs within a few days.

http://stage.splitinfinity.com

Nice of you to hate on my post when Im trying to help.
I'm ashamed of you.

iTEAM · 05-30-2006, 06:30 PM

Quote:

Originally Posted by Chris

root@myserver [~]# ps -aux | grep httpd | wc -l; netstat -na | grep :80 | wc -l;uptime 152
461
19:43:18 up 23 days, 22:46, 1 user, load average: 0.00, 0.00, 0.00

its a new server so no traffic on it

Yep probably a port scan.
Wait and see how things go but in the meantime if you haven't already you need to harden your server.

I used to harden my servers by putting pics of hot chicks in front of it, but found out it just distracted it from its job.

05-30-2006, 05:15 PM	#3
iTEAM Confirmed User Join Date: May 2006 Posts: 147	I can help if you want. __________________ iTEAM Hosting Contact Chad on ICQ: 256-331-436

05-30-2006, 05:20 PM	#6
bringer i have man boobies Join Date: Jul 2003 Location: van down by the river Posts: 13,082	shut down your httpd __________________ 333-765-551

05-30-2006, 05:20 PM	#7
mOrrI It's over there... Industry Role: Join Date: Nov 2004 Location: Portugal Posts: 4,212	Bump for u :D __________________ Get Your Binance Account

05-30-2006, 05:21 PM	#8
iTEAM Confirmed User Join Date: May 2006 Posts: 147	In SSH what does this command tell you? ps -aux \| grep httpd \| wc -l; netstat -na \| grep :80 \| wc -l;uptime __________________ iTEAM Hosting Contact Chad on ICQ: 256-331-436

05-30-2006, 05:43 PM	#9
Chris Too lazy to set a custom title Industry Role: Join Date: May 2003 Location: icq: 71462500 Skype: Jupzchris Posts: 27,880	root@myserver [~]# ps -aux \| grep httpd \| wc -l; netstat -na \| grep :80 \| wc -l;uptime 152 461 19:43:18 up 23 days, 22:46, 1 user, load average: 0.00, 0.00, 0.00 its a new server so no traffic on it __________________ [email protected]

05-30-2006, 05:12 PM	#2
wdsguy Ryde or Die Industry Role: Join Date: Dec 2002 Location: California-Shanghai Posts: 19,568	you can't find a telephone number for your host? wtf

05-30-2006, 05:19 PM	#5
BradM Confirmed User Join Date: Dec 2003 Location: 1123,6536,5231 Posts: 3,397	Do you have root and ssh to the machine?

05-30-2006, 05:55 PM	#10
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Chris, hit me up on AIM, I will help U bro. Run this command for now: netstat -an\|grep SYN\|gawk '{print $5}' \| gawk -F. '{print "iptables -A INPUT -j DROP -s "$1"."$2"."$3".0/24 -d 0/0 -p all"}' After you run that (paste it into shell on one line) copy all the iptables lines out of the results and paste them back into the command line. That will block out the spoofed ip's they are using from hitting you. Also, type (copy/paste) this stuff, line by line into ssh: # Tune File Swappiness down a bit to reduce swap thrashing echo 40 > /proc/sys/vm/swappiness # Turn on tcp_syncookies - VERY IMPORTANT to stop DDoS echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Turn on Source Address Verification echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/tcp_sack #the number of TCP SYN packets that the server can queue before SYNs are dropped sysctl -w net.ipv4.tcp_max_syn_backlog=30000 #Increase the number of connections that are allowed in TIME-WAIT state sysctl -w net.ipv4.tcp_max_tw_buckets=2000000 #Configure parameters to set the length for the number of packets that can be queued in the network core sysctl -w net.core.netdev_max_backlog=50000 #TCP WINDOW SIZE sysctl -w net.core.rmem_max=16777216 sysctl -w net.core.wmem_max=16777216 sysctl -w net.ipv4.tcp_rmem="500000 1000000 16777216" sysctl -w net.ipv4.tcp_wmem="500000 1000000 16777216" #KERNEL TUNES sysctl -w net.ipv4.ip_forward=0 sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl -w net.ipv4.ipfrag_time=15 sysctl -w net.ipv4.tcp_ecn=0 sysctl -w net.ipv4.tcp_fin_timeout=10 sysctl -w net.ipv4.tcp_syn_retries=3 sysctl -w net.ipv4.tcp_synack_retries=3 sysctl -w net.ipv4.tcp_keepalive_probes=7 sysctl -w net.ipv4.tcp_orphan_retries=5 #IPTABLES SYN PROTECTION - MODIFY THE BELOW to MATCH YOUR SERVERS IP's iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A INPUT -p tcp --tcp-option 64 -j DROP iptables -A INPUT -p tcp --tcp-option 128 -j DROP iptables -A INPUT -p tcp --syn -m limit --limit 4/s -j ACCEPT iptables -A INPUT -p tcp --syn -m limit --limit 4/s -j ACCEPT iptables -A INPUT -p tcp -d 38.96.5.146 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 4/s -j ACCEPT iptables -A INPUT -p tcp -d 38.96.5.147 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 4/s -j ACCEPT iptables -A INPUT -p tcp -d 38.96.5.148 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #ANTISPOOFING for a in /proc/sys/net/ipv4/conf//rp_filter; do echo 1 > $a done #NO SOURCE ROUTE for z in /proc/sys/net/ipv4/conf//accept_source_route; do echo 0 > $z done #SYN COOKIES echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

05-30-2006, 05:56 PM	#12
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Oh, also, suggestion: install mod_evasive into apache... that helps stop these in real time.

05-30-2006, 05:58 PM	#13
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Oh, and your host's phone number and email is: Phone: +1.5203232533 Email Address: [email protected]

05-30-2006, 05:59 PM	#15
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Anyone else need help like this? Hit me up on AIM: NJesterIII

05-30-2006, 06:00 PM	#16
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047

05-30-2006, 06:01 PM	#17
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047

05-30-2006, 06:14 PM	#19
directfiesta Too lazy to set a custom title Industry Role: Join Date: Oct 2002 Location: Montreal, Quebec Posts: 29,648	server response looks ok. a DDOS, you couldn`t even connect to it... Looks like a port scan .... __________________ I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time ....

05-30-2006, 06:19 PM	#21
x3guide Confirmed User Join Date: Dec 2001 Location: lake titicaca Posts: 735	format c: or in this case: rm -rf * __________________ Shomer fuckin shabbas

05-30-2006, 06:24 PM	#22
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Thats like that intentionally because were changing the way things work on our site :-) Thanks for pointing it out though. New site will launch with new certs within a few days. http://stage.splitinfinity.com Nice of you to hate on my post when Im trying to help. I'm ashamed of you.