DDOS help!

Portal Home > Knowledgebase > Articles Database > DDOS help!

Posted by Seeyabye, 03-23-2010, 06:59 AM
Ok, I'm in big trouble. At the moment, it seems that I'm getting DDOSed at port 80. I don't really know how to counter this, but I've blocked off port 80 completely at the moment with APF. Now, I know that I could use DDOS Deflate, however, I'm not too sure how to configure it. my APF directory is located at, /etc/apf-firewall Whilst, in ddos.conf, the path was written as /etc/apf/apf. The thing is, the executable apf doesn't exists in /etc/apf-firewall. I'm using Ubuntu 9.10. Please guide me which is the proper path for ddos deflate. Regards, Zepx
Posted by Chilledhost_uk, 03-23-2010, 07:12 AM
Ask the DC if they can null route the traffic causing the ddos for you
Posted by madaboutlinux, 03-23-2010, 07:26 AM
DDOS Deflate" isn't going to stop the such attacks. The APF and CSF firewalls can block low volume of attacks but if the attack is too heavy, you should better ask your Data Center whether they can do anything to block this attack on the router itself. BTW, is the attack originating from a very large number of different subnets OR is it coming from a few subnets? You can check using the following command:
Posted by Seeyabye, 03-23-2010, 07:30 AM
1 115.134.133.245 1 115.135.228.157 1 118.100.188.80 1 121.14.27.23 1 124.82.110.168 1 183.93.38.180 1 208.76.83.136 1 213.171.194.34 1 220.255.7.144 1 220.255.7.146 1 220.255.7.147 1 60.242.174.154 1 60.52.117.144 1 60.52.68.110 1 60.53.249.109 1 61.182.229.34 1 65.173.218.75 1 85.25.176.167 1 Address 1 and 2 124.13.53.149 2 202.190.153.155 2 220.255.7.145 2 220.255.7.149 2 58.255.213.141 4 110.72.4.124 4 127.0.0.1 5 122.224.114.141 5 220.255.7.143 6 220.255.7.148 7 115.132.51.61 7 124.197.103.56 7 221.182.46.80 9 119.112.232.27 9 220.255.7.142 9 60.48.109.248 9 60.52.63.213 10 118.100.131.78 10 203.82.80.24 10 60.50.33.112 10 60.54.68.3 11 60.50.254.21 19 0.0.0.0 26 60.48.48.133 31 221.125.6.163 35 115.135.165.3 36 222.26.157.99 This is what I obtained.
Posted by Chilledhost_uk, 03-23-2010, 07:33 AM
I would speak to your DC and get them to null route this at the router level as stated you will not be able to fully deal with this using DDOS Deflate If you don't mind who is your DC ?
Posted by Seeyabye, 03-23-2010, 07:36 AM
Hello Chilled. I do have a problem here, well my DC is OVH. And since I bought from an unauthorized reseller, I guess I need to wait for my reseller's support. Thank you, but if there is any solution, please keep guiding me. Regards, Zepx
Posted by madaboutlinux, 03-23-2010, 07:38 AM
Is the output you have given above is after you blocked the port 80? If yes, open port 80 and then execute the command after sometime to get the exact output.
Posted by Seeyabye, 03-23-2010, 07:39 AM
It is the opposite. When port 80 is opened, that's what I got. When it's close, I got something like below, 1 115.135.172.88 1 221.125.6.163 1 60.50.33.112 1 Address 1 and 4 127.0.0.1 12 115.135.165.3 19 0.0.0.0
Posted by Hostwaresupport, 03-23-2010, 08:43 AM
Well, it seems you are getting attack when 80 port is opened. When you execute this command, netstat -alntp | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n try to block ip't that having high number of connection using apf firewall. If that does not help, then it is better to ask DC to null route unwanted traffic either setting up hardware firewall or at router level.
Posted by Seeyabye, 03-23-2010, 09:03 AM
Thank you for the reply. Seems like I can't do much right now, but keep port 80 blocked. Usually, how long before DDOS subside? What if my Datacentre refuses to help me?
Posted by Seeyabye, 03-23-2010, 09:05 AM
Sorry, consider this deleted.