Under DDoS Attack

[yusha]

@"DJB" @"Genesis" @"un4saken"

I am developing a web-server on CentOS7 for my client who runs an ISP in my country. The site is about file sharing with all the LAN users. As they can get 10MB/ps download and upload speed. The server is currently 3TB in size but we will expand it soon.

Now coming to the question, I am having DDoS Attack, and what can I do to protect the server?

I've looked through the internet and all I get is business plans who tells me to buy the service from them. But I want to protect the web server by myself. Also posted on serverfault but not getting any helpful post.

Any step by step guide will be very helpful. Also please refer any DDoS protection script if you can.

Edit from last post: by GigaGreg

Well guys, I have solved the issue a long time ago.. but I think it's better If I share the method which I used. Because this may help someone else in later.

I have disabled the SSH Logins and I only turn it on when I need to login through SSH by changing the config file using Webmin. And again disable SSH soon after I finish working on that. Obviously I have changed the port of Webmin to a secret one.

And I have also installed a shell script by which my server is Protected up to 15 Gbps.

By using this method I'm running my own dedicated Webserver (CentOS 7.x) without having any problem within last 1 year. :yahoo:

Here is the script and method how to use it. Cheers...:drinks:

Open Putty..

2nd step: Login username then password

3rd step Is: 

yum install wget 

4th step: Use this for protecting your server from ddos 

wget http://www.inetbase.com/scripts/ddos/install.sh

5th step:

chmod 0700 install.sh

6th step:

./install.sh

It is installed :) congrats... i will show you more protection of AFC.

7th Step Is:

user ctrl+z in one time
then
wget http://www.rfxn.com/downloads/apf-current.tar.gz

8th step: Extract it 

tar -zxvf apf-current.tar.gz
cd apf-9.7-2

we have changed directory
----------------------------
9th step is: Install it

sh ./install.sh

it is installed :)

10th step is: edit it's config 

DEVEL_MODE="0"

Use ctrl + O enter press enter your config has been saved

Hit the Thank You button if this helps..

 

[Genesis]

un4saken is the expert here.

I did some basic searches, and find it difficult to believe you had looked through the whole of the Internet. At any rate, with a very fast search, this is what I found. If you look in more detail, maybe you will find more than I did:

A script ConfigServer Services (CSF), to configure your Firewall - CSF recognizes DDOS, brute force, etc attacks and is configured to temporarily block the attackers:
http://wiki.vps.net/controlpanels/c...gserver-firewall-csf-on-centos-cpanel-server/
or
https://kyup.com/tutorials/install-configure-config-server-firewall-csf/

This is a fairly recent article that looks at ddos protection scripts - I'd recommend the CSF one though if you haven't already installed it:
http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/

 

[un4saken]

There are many types of ddos attacks like UDP port flood, syn flood, ping of death, reflect etc.... First you need to figure out their method. Then you can work on a solution.

 

[_Hoh_]

The best you can do is to install Fail2Ban:

You can follow this manual:

http://www.servermom.org/install-fail2ban-centos/1809/

 

[smalpierre]

ip blocking works best at the network edge where the processing is done on devices that are made to do nothing but process packets (or datagrams or whatever).

http://www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html

Some of those devices process packets at near wire speed.

 

[fred]

Hello please am having problem understanding this website can anyone help me i want to upload a website on this site. Can anyone help me please

 

[jaran]

How to know the real website ip address if they are using cloudflare? Anyway, at the last month my site was scraping by other website with using cloudflare. I cant block them because their ip always change everytime. :unknown:

 

[shendlaw]

tell your host to enable iptables, or change your website with cloudflare protection

 

[yusha]

Cloudflare isn't a solution for me. Because there are approx 100 GB file is uploading every week by my clients through LAN data transfer. The users who are using the internet connection from our ISP is getting 10 MB/s Uploading and Downloading speed. and others are getting Normal internet speed. so The DNS should be pointing to our server's IP directly without masking. Although I've solved the problem by installing some protection scripts into the server.

---

How to know the real website ip address if they are using cloudflare? Anyway, at the last month my site was scraping by other website with using cloudflare. I cant block them because their ip always change everytime. :unknown:

There are several methods of that.. The noob way is using tracert command as far as I know. you should google it and experiment your own way for that.

 

[strokerace]

Because there are approx 100 GB file is uploading every week by my clients through LAN data transfer.

Ummm, if they are using a LAN connection, then its a private network and should not be connected to any internet.

 

[smalpierre]

Block the service from all external addresses if your users are all on the LAN. Set up a VPN for users that have to use the service from the internet.

 

[yusha]

@"strokerace"

Ummm, if they are using a LAN connection, then its a private network and should not be connected to any internet.

LOL, You didn't run through this kinda project do you? That's why I guess it's confusing to you. Well, I didn't had much time to explain the whole thing before. But I think now I should.

We are running an ISP in the capital of Bangladesh which is Dhaka. And our server's ip is linked with all other Broadband Internet Service Providers in our Country. Every web-server is able to transfer data in both way, Locally and Out Source. So when a user try to upload any content to the server the server first check if the incoming connection is in server's local connection or the signal coming from another planet If the user's connection is linked with that server which we call LAN then the Data Transfer rate became 100 Mb/s else It depends on users upload speed and server's download speed (In case of Uploading).

Now coming to my point.

Do you know what Cloudflare does? It filters automated bots attacks and tries it's best to hide the server's real ip. It's like auto redirecting to any website without giving the visitor of that website's URL. Which means it masks your original server's ip by mirroring or cloning a bunch of IPs. So in my case Cloudflare isn't a solution because If I enable Cloudflare DNS then my LOCAL / LAN user's who are getting upload and download speed 10 MB/s will be treated as International users. And the speed will go down to their actual internet speed. And of course our server can be accessible from another planet

I hope now you got it.

---

@"smalpierre"

Block the service from all external addresses if your users are all on the LAN. Set up a VPN for users that have to use the service from the internet.

Please first read every post then comment. As I said I had solved my problem many days ago.. But the topic remains open for others to find-out the solution.

 

[smalpierre]

Block the service from all external addresses if your users are all on the LAN. Set up a VPN for users that have to use the service from the internet.

Please first read every post then comment. As I said I had solved my problem many days ago.. But the topic remains open for others to find-out the solution.

@biobeo
Just re-read all the comments, didn't see the solution posted. So what was the solution? Which post number?

 

[yusha]

Just re-read all the comments, didn't see the solution posted. So what was the solution? Which post number?

@"smalpierre"

Clever reply I must say. Well theoretically it's impossible to prevent a DDOS attack. So it's counts as a crime in the terms of cyber law. It's also mentioned in many popular site's terms of use like facebook and others.

You can find a temporary prevention which is mentioned by @"Genesis" in the second post. BTW our server is protected upto 15 Gbps.

 

[smalpierre]

Just re-read all the comments, didn't see the solution posted. So what was the solution? Which post number?

@"smalpierre"

Clever reply I must say. Well theoretically it's impossible to prevent a DDOS attack. So it's counts as a crime in the terms of cyber law. It's also mentioned in many popular site's terms of use like facebook and others.

You can find a temporary prevention which is mentioned by @"Genesis" in the second post. BTW our server is protected upto 15 Gbps.

And that is where people coming to this post can find at least a temporary solution!

Usually after an army attacks a wall for some period of time, they give up and go somewhere else, so a temporary solution is better than no solution That's the nature of a siege: Hold the walls, and hope you don't run out of supplies before they go away!

Glad you got your problem fixed - I hope the mongol hoard doesn't revisit you anytime soon

 

[yusha]

Glad you got your problem fixed - I hope the mongol hoard doesn't revisit you anytime soon

@"smalpierre"

It was tough but I was sticky. And they gave up. Though they've tried to get root with brute force more than 50 thousand times. And finally I disabled the SSH access. And now I am running my own mostly secure dedicated server which is serving Terabytes of data daily among all the users to my country. The site is about downloading movies where users also have the privilege to share movies among others.. From my server a 1080p movie just take 3-5 minutes to download for the users who are using Broadband Internet Connection in my country..And by that my users can share files faster than a pen drive while without using any pen drive.

 

[strokerace]

@"strokerace"

Ummm, if they are using a LAN connection, then its a private network and should not be connected to any internet.

LOL, You didn't run through this kinda project do you? That's why I guess it's confusing to you. Well, I didn't had much time to explain the whole thing before. But I think now I should.

We are running an ISP in the capital of Bangladesh which is Dhaka. And our server's ip is linked with all other Broadband Internet Service Providers in our Country. Every web-server is able to transfer data in both way, Locally and Out Source. So when a user try to upload any content to the server the server first check if the incoming connection is in server's local connection or the signal coming from another planet If the user's connection is linked with that server which we call LAN then the Data Transfer rate became 100 Mb/s else It depends on users upload speed and server's download speed (In case of Uploading).

Now coming to my point.

Do you know what Cloudflare does? It filters automated bots attacks and tries it's best to hide the server's real ip. It's like auto redirecting to any website without giving the visitor of that website's URL. Which means it masks your original server's ip by mirroring or cloning a bunch of IPs. So in my case Cloudflare isn't a solution because If I enable Cloudflare DNS then my LOCAL / LAN user's who are getting upload and download speed 10 MB/s will be treated as International users. And the speed will go down to their actual internet speed. And of course our server can be accessible from another planet

I hope now you got it.

---

@"smalpierre"

Block the service from all external addresses if your users are all on the LAN. Set up a VPN for users that have to use the service from the internet.

Please first read every post then comment. As I said I had solved my problem many days ago.. But the topic remains open for others to find-out the solution.

---

No and no. Its not a LAN as its connected to the internet or outside world. LAN stands for local area network. Which is also a closed network, and all the computers are inside the same building. What you may have is what is known as a private network. Further more, cloudflare doesn't stop bot attacks. Its never hides the IP. Who ever said that knows nothing about bot attacks. Ddos attacks are flood attacks which floods any server with requests.

 

[smalpierre]

the lan can be connected to the outside world - you just don't have to allow inbound connections. I have a lan, and all the computers on it are connected to the internet. I just don't allow inbound connections to anything but my server - which is also part of the lan. A LAN is not always a closed network - but it can be.

A wan doesn't have to be connected to the internet either. You can have a pvc between central offices that are far far away without having to connect to the internet. That's what a vpn is - it's basically a wan connection, although implemented as an encrypted tunnel over the public internet.

I think you misunderstand what I was saying maybe? IF all the users are inside your edge network gear (the router / firewall) then you can port block at the network edge and FU attacker! Port blocking does not care anything about the IP address of the attacker, only the port it's trying to connect to on your network. If you're using NAT, then the router owns the public IP address, and receives all incoming requests. IF and ONLY IF you set an explicit rule (port forwarding) it can forward those requests to a machine on the LAN. Otherwise, the router deals with it.

Now you are 100% correct in saying that a ddos attack flods a server with requests - requests from multiple IP addresses from multiple places so you can't just block a single IP or a range since the requests will be coming from all over the place. That's why you port block - at least as a first line of defense. A simple dos attack is easy - block the IP of the attack origin, and it's done.

Of course, you have to have a router that is capable of rejecting the packets in question without being overloaded itself, but most of the Cisco routers (even my old 2620) can handle an extreme amount of abuse and still be fine. Those consumer grade linksys jobbies will fail miserably though and it could shut down even your internal LAN until you basically unplug the wan port.

I think a lot of small fries that get ddos'd probably did something to earn it - you have to attract the attention of the attacker. It's not like they can steal your data that way - they can only shut you down. I'ts a very spiteful type of attack. Porn sites get hit with them all the time. Usually because there's a lot of scammers in that industry - probably pissed off another scammer.

---

Glad you got your problem fixed - I hope the mongol hoard doesn't revisit you anytime soon

@"smalpierre"

It was tough but I was sticky. And they gave up. Though they've tried to get root with brute force more than 50 thousand times. And finally I disabled the SSH access. And now I am running my own mostly secure dedicated server which is serving Terabytes of data daily among all the users to my country. The site is about downloading movies where users also have the privilege to share movies among others.. From my server a 1080p movie just take 3-5 minutes to download for the users who are using Broadband Internet Connection in my country..And by that my users can share files faster than a pen drive while without using any pen drive.

They try and try and try ... and if you're persistent at cock blocking them, they eventually give up

Sucks that you had to shut down certain access for a period of time, but if they're shutting you down with a ddos anyway what's the difference? Well except that putting up the wall means that at least SOME things still work until they go away.

 

[yusha]

I'm glad that so many experts around me. It's been 12 years I'm working on ICT but believe me my knowledge is still like a child. And an Ocean of knowledge is out there and I've to explore. I think I don't really have much time for looking back to the problem which I've already solved. Thanks for your times and comments by the way.

 

[yusha]

@"smalpierre"

Sucks that you had to shut down certain access for a period of time, but if they're shutting you down with a ddos anyway what's the difference?

I disabled the login via SSH and other possible access to the server, I mean what we do to manage the server with putty. HTTP and MYSQL is always up on the server. So the site never gets down if there is an active internet connection and electricity power. And the server can be manageable only when you get in front of the server CPU. It can't be managed remotely. I thought this would be the best way to make the server more secure. And believe me it does works. LOL.