Monday, March 10, 2008

First aid for DDOS attack on port 80

First aid for DDOS attack on port 80
We can use the following steps to recover our server from a DDOS attack on the port 80. To do this you must have logged into the server as a root user.
Step 1 : Install/Configure APF firewall
a) If there are no firewalls installed on the server please install the same,you will get the steps and directions from the following site.
http://www.webhostgear.com/61.html

b) Turn on the antidos option (USE_AD) in the APF conf file
# vi /etc/apf/conf.apf
USE_AD = 1
Step 2 : Install/Configure mod_evasive (for Apache 1.3x)
mod_evasive and mod_dosevasive are the same
a) Install mod_evasive
# wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart
b) Also include the following lines in the apache conf file
# vi /usr/local/apache/conf/httpd.conf

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

c) Restart the webserver
# /etc/init.d/httpd restart

Step 3 : Install mod_security

Normally we can find/install this module from WHM
WHM >> cPanel >> Addon Modules >> Select "modsecurity " >>save

Step 4 : Blocking IPs

a) Find the IPs those have established a connection with the server
(The following command is the better one to get the IPs, as this will sort the IPsaccording to the number of connections).

netstat -ntu awk '{print $5}' cut -d: -f1 sort uniq -c sort -n

b) Block them using IPTABLES
# iptables -I INPUT -s 218.92.207.28 -j DROP
# service iptables save
# service iptables restart

c) Block them on APF too

# vi /etc/apf/deny_hosts.rules
# service apf restart

Step 5 : Optimizing the httpd.conf file

# vi /usr/local/apache/conf/httpd.conf

Change the bellow options as follows, original values are shown in thebracket.

MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)

Also edit the following options too, according to the situation.
Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients

Step 6 : Install/Configure 3rd party DDOS prevention tools

We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.Steps to install this script are as follows.
# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh
Add the script '/usr/local/ddos/ddos.sh' to cron as follows
# crontab -e*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1

Step 7 : Suspend websites
Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a while.

PERMANENT WAY TO FIX THE DDOS ATTACK
As we all know the softwares have its own limitations for preventing against DDOS attack, we can follow these steps to cure it permanently.
1. Ask the NOC for attaching Cisco Guard on the server for 24 hours(Normally this service is free from most NOCs)
2. Attach a hardware firewall for the server.

Hope this will help you in such a situation, for more information kindly refer the following URL:http://forums.cpanel.net/showthread.php?t=66952
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)