how do i stop a ddoss on my server?
 

my host doesnt have a listed phone number :(
submited a support ticket nothing

netstat in ssh is going nuts


anything i can do to my server until my host gets around?

i am pinging


C:\DOCUME~1\CHRIS>ping jupzchris.com

Pinging jupzchris.com [216.66.19.200] with 32 bytes of data:

Reply from 216.66.19.200: bytes=32 time=73ms TTL=50
Reply from 216.66.19.200: bytes=32 time=71ms TTL=50
Reply from 216.66.19.200: bytes=32 time=71ms TTL=50
Reply from 216.66.19.200: bytes=32 time=96ms TTL=50

Ping statistics for 216.66.19.200:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 71ms, Maximum = 96ms, Average = 77ms


so he sint doing a very good job
just making my server sloww

you can't find a telephone number for your host? wtf

I can help if you want.

the only number i have im getting no answer at

Do you have root and ssh to the machine?

shut down your httpd

Bump for u :D

In SSH what does this command tell you?
ps -aux | grep httpd | wc -l; netstat -na | grep :80 | wc -l;uptime

root@myserver [~]# ps -aux | grep httpd | wc -l; netstat -na | grep :80 | wc -l;uptime 152
461
19:43:18 up 23 days, 22:46, 1 user, load average: 0.00, 0.00, 0.00


its a new server so no traffic on it

Chris, hit me up on AIM, I will help U bro.


Run this command for now:
netstat -an|grep SYN|gawk '{print $5}' | gawk -F. '{print "iptables -A INPUT -j DROP -s "$1"."$2"."$3".0/24 -d 0/0 -p all"}'

After you run that (paste it into shell on one line) copy all the iptables lines out of the results and paste them back into the command line.
That will block out the spoofed ip's they are using from hitting you.

Also, type (copy/paste) this stuff, line by line into ssh:

# Tune File Swappiness down a bit to reduce swap thrashing
echo 40 > /proc/sys/vm/swappiness

# Turn on tcp_syncookies - VERY IMPORTANT to stop DDoS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Turn on Source Address Verification
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack

#the number of TCP SYN packets that the server can queue before SYNs are dropped
sysctl -w net.ipv4.tcp_max_syn_backlog=30000
#Increase the number of connections that are allowed in TIME-WAIT state
sysctl -w net.ipv4.tcp_max_tw_buckets=2000000
#Configure parameters to set the length for the number of packets that can be queued in the network core
sysctl -w net.core.netdev_max_backlog=50000
#TCP WINDOW SIZE
sysctl -w net.core.rmem_max=16777216
sysctl -w net.core.wmem_max=16777216
sysctl -w net.ipv4.tcp_rmem="500000 1000000 16777216"
sysctl -w net.ipv4.tcp_wmem="500000 1000000 16777216"
#KERNEL TUNES
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.ipfrag_time=15
sysctl -w net.ipv4.tcp_ecn=0
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syn_retries=3
sysctl -w net.ipv4.tcp_synack_retries=3
sysctl -w net.ipv4.tcp_keepalive_probes=7
sysctl -w net.ipv4.tcp_orphan_retries=5

#IPTABLES SYN PROTECTION - MODIFY THE BELOW to MATCH YOUR SERVERS IP's
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp --tcp-option 64 -j DROP
iptables -A INPUT -p tcp --tcp-option 128 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp -d 38.96.5.146 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp -d 38.96.5.147 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 4/s -j ACCEPT
iptables -A INPUT -p tcp -d 38.96.5.148 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#ANTISPOOFING
for a in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $a done

#NO SOURCE ROUTE
for z in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $z done

#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

Cancel that box and grab one over here with me, I'll tune it right for ya!

Oh, also, suggestion:

install mod_evasive into apache... that helps stop these in real time.

Oh, and your host's phone number and email is:

Phone: +1.5203232533
Email Address: [email protected]

You are hosting with an he.net reseller (Hurricane Electric)

Anyone else need help like this? Hit me up on AIM: NJesterIII

super DUMB admin ?


http://www.nederland-sex.be/dumb.gif


http://www.nederland-sex.be/dumb2.gif


way to go! :thumbsup

:error :error

server response looks ok.

a DDOS, you couldn`t even connect to it...

Looks like a port scan ....

lol......

format c:

or in this case: rm -rf *

Thats like that intentionally because were changing the way things work on our site :-) Thanks for pointing it out though. New site will launch with new certs within a few days.

http://stage.splitinfinity.com

Nice of you to hate on my post when Im trying to help.
I'm ashamed of you.

Yep probably a port scan.
Wait and see how things go but in the meantime if you haven't already you need to harden your server.

I used to harden my servers by putting pics of hot chicks in front of it, but found out it just distracted it from its job.