Saturday, April 12, 2008

How to trace the DDOS attack on the server ?

1. Your should have following setting at the time of DDOS attack in httpd.conf:

TimeOut = 20

KeepAlive Off

MaxClients 384

MinSpareServers 20

MaxSpareServers 25

2. in /usr/local/ddos/ddos.conf

NO_OF_CONNECTIONS=20

3. You should have 7 SSH session and 1 WHM at the time of DDOS.

4. Check the domlogs to trace out a particular website for the DDOS. Use the following command to check the latest updated domlog file for the website.

ll -lt |less

5. You should keep the following command to check the DDOS.

top, access_logs, error_logs,

ps aux | grep php

check the apache status in the WHM

cd /root/nobody_check

./apachetrace

cd /tmp

ls and check suspected scripts.

6. If necessary reboot the server. This will kill the http process which is causing the DOS. When the server is up, that process will start again and at that time you can trace it and kill it.

7. You can change the permission of the suspected domain. Make the DNS changes to 127.0.0.1 . please use TTL 20 for fast dns propagation. Don't set the redirectio for the website in httpd.conf.

8. After the DDOS attacker is trace down, don't forget to revert back the changes make to https.conf.

9. Suspend the suspected domain and mail the client about this.

check queue by whm

if queue is high I will check queue by whm

I will scroll bottom I will see which domain is most of time or aol

If I find any I will click on id I will see his email headers so we ill get spammer.

I know all mails are not spamer in such case we will delete mails. Only

Tail –f /var/log/exim_mainlog |grep sendmail

Tail –f /var/log/exim_mainlog |grep tmp

Tail –f /var/log/exim_mainlog |grep public_html

Tail –f /var/log/exim_mainlog |grep hostname


Or

Cd /var/spool/cron

Check if someone is sending mail or bulk list.

2)check aol mails

if we find continuously mails from AOL

logged at server

check mail queue who is sending mail to AOL id check header and suspend the account.

As per apache load.

Ps auw |grep nobody

We check is there any old or bad process kill it

We check apache status.

We check access_logs

We check domlogs of domain

For control

1)cap domain name for ip limit

2)if ddos 127.0.0.1 update client

3)if accessing only one file redirect it

4)if ~access ban by mod_sec

in ddos we used following method

In DDOS ON mode usually the best setting is

/usr/local/ddos/ddos.conf

NO_OF_CONNECTIONS=100

/etc/httpd/conf/httpd.conf

Timeout =10

KeepAlive = OFF

mod_evasive = uncomment

===========================================================

In DDOS OFF mode

/usr/local/ddos/ddos.conf

NO_OF_CONNECTIONS=650

/etc/httpd/conf/httpd.conf

Timeout =50

KeepAlive = On

mod_evasive = comment

Ddos mode should be off when attack stop.

We check proc/pid too

mysqladmin processlist

if one database again and again we suspend him.

No comments: