OpenVZ Forum: Support » Cant block DDoS to a VPS? How to do it?

Home » General » Support » Cant block DDoS to a VPS? How to do it?

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Cant block DDoS to a VPS? How to do it? [message #50852]

Sat, 16 November 2013 21:05

postcd
Messages: 73
Registered: April 2013

Member

Hi,

there is a DDoS on one of the OpenVZ VPSs on the server, what helps is the command:

vzctl set 520 --ipdel theipaddressofthevps --save

i think this command nullroute the traffic to VPS. Then VPS is not usable by that IP.

Im using DDoS deflate on the Host node server and when did this command to show server connections sorted by number:

CONNECTIONS

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

55 212.185.55.15
57 212.185.55.80
79 212.185.55.89
92 212.185.55.58
97 212.185.55.225
113 212.185.55.10
113 212.185.55.113
183

(it can be seen there are around 100 connections from some IPs, these are almost certainly the attackers, it is repeating)

LISTING IPTABLES BANS

[root@server ~]# iptables -L | grep 212.185
DROP all -- 212-185-55-0.dumb.cat.com/20 anywhere
DROP all -- 212-185-55-58.dumb.cat.com anywhere
DROP all -- 212-185-55-113.dumb.cat.com anywhere
DROP all -- 212-185-55-15.dumb.cat.com anywhere
DROP all -- 212-185-55-10.dumb.cat.com anywhere
DROP all -- 212-185-55-89.dumb.cat.com anywhere
DROP all -- 212-185-55-225.dumb.cat.com anywhere
DROP all -- 212-185-55-0.dumb.cat.com/24 anywhere
[root@ns308203 ~]#

How is it possible these IPs overloadig server (hostserver + VPS) even they are banend in IPtables?

Any ideas on how to block them for good from my server? (PS IP number was changed to keep anonymity)

logs from a VPS:
/var/log/apache2/access.log
::1 - - [16/Nov/2013:21:32:53 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:54 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:55 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:56 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:57 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:58 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:59 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
FULLL of this

/var/log/apache2/other_vhosts_access.log
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:33 +0000] "GET / HTTP/1.0" 200 668 "8574at.info" "Mozilla/5.0 (compatible; heritrix/1.7.0 +http://www.0sz9o7t8r25.com/)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:39 +0000] "GET / HTTP/1.0" 200 666 "wgcki.net" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.xxx) Gecko/20041027 Mnenhy/0.6.0.104"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 669 "61lqveh.info" "Mozilla/5.0 (compatible; http://www.3d3128.com/bot/ )"
ns1.customersite.com:80 212.185.56.29 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 665 "zygla.ru" "Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker (wn.zyborg@looksmart.net; http://www.g293if.com)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 668 "0xt964ix.ru" "Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker (wn.zyborg@looksmart.net; http://www.19619.com)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 675 "ph8v734w2347en.biz" "Mozilla/3.01 (compatible; Netbox/3.5 R92; Linux 2.2)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:48 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:48 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:48 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:49 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:49 +0000] "-" 408 0 "-" "-"

It appears like some Website based attack / bot right?
Im curious why iptables dont block it, why should htaccess block rule work?

[Updated on: Sat, 16 November 2013 22:24]

Report message to a moderator

[Message index]

		Cant block DDoS to a VPS? How to do it? By: postcd on Sat, 16 November 2013 21:05
		Re: Cant block DDoS to a VPS? How to do it? By: grep on Sun, 17 November 2013 02:16
		Re: Cant block DDoS to a VPS? How to do it? By: postcd on Mon, 18 November 2013 14:23
		Re: Cant block DDoS to a VPS? How to do it? By: grep on Mon, 18 November 2013 19:08

Previous Topic:	/usr/bin/vzdump: No such file or directory
Next Topic:	Vps with VPN

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sun Jul 28 00:16:39 GMT 2024

Total time taken to generate the page: 0.02595 seconds