OpenVZ Forum


Home » General » Support » Cant block DDoS to a VPS? How to do it?
Cant block DDoS to a VPS? How to do it? [message #50852] Sat, 16 November 2013 21:05 Go to previous message
postcd is currently offline  postcd
Messages: 73
Registered: April 2013
Member
Hi,

there is a DDoS on one of the OpenVZ VPSs on the server, what helps is the command:

vzctl set 520 --ipdel theipaddressofthevps --save

i think this command nullroute the traffic to VPS. Then VPS is not usable by that IP.

Im using DDoS deflate on the Host node server and when did this command to show server connections sorted by number:

CONNECTIONS

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

55 212.185.55.15
57 212.185.55.80
79 212.185.55.89
92 212.185.55.58
97 212.185.55.225
113 212.185.55.10
113 212.185.55.113
183

(it can be seen there are around 100 connections from some IPs, these are almost certainly the attackers, it is repeating)

LISTING IPTABLES BANS

[root@server ~]# iptables -L | grep 212.185
DROP all -- 212-185-55-0.dumb.cat.com/20 anywhere
DROP all -- 212-185-55-58.dumb.cat.com anywhere
DROP all -- 212-185-55-113.dumb.cat.com anywhere
DROP all -- 212-185-55-15.dumb.cat.com anywhere
DROP all -- 212-185-55-10.dumb.cat.com anywhere
DROP all -- 212-185-55-89.dumb.cat.com anywhere
DROP all -- 212-185-55-225.dumb.cat.com anywhere
DROP all -- 212-185-55-0.dumb.cat.com/24 anywhere
[root@ns308203 ~]#

How is it possible these IPs overloadig server (hostserver + VPS) even they are banend in IPtables?

Any ideas on how to block them for good from my server? (PS IP number was changed to keep anonymity)

logs from a VPS:
/var/log/apache2/access.log
::1 - - [16/Nov/2013:21:32:53 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:54 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:55 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:56 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:57 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:58 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
::1 - - [16/Nov/2013:21:32:59 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.2.14 (Ubuntu) (internal dummy connection)"
FULLL of this

/var/log/apache2/other_vhosts_access.log
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:33 +0000] "GET / HTTP/1.0" 200 668 "8574at.info" "Mozilla/5.0 (compatible; heritrix/1.7.0 +http://www.0sz9o7t8r25.com/)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:39 +0000] "GET / HTTP/1.0" 200 666 "wgcki.net" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.xxx) Gecko/20041027 Mnenhy/0.6.0.104"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 669 "61lqveh.info" "Mozilla/5.0 (compatible; http://www.3d3128.com/bot/ )"
ns1.customersite.com:80 212.185.56.29 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 665 "zygla.ru" "Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker (wn.zyborg@looksmart.net; http://www.g293if.com)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 668 "0xt964ix.ru" "Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker (wn.zyborg@looksmart.net; http://www.19619.com)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:30 +0000] "GET / HTTP/1.0" 200 675 "ph8v734w2347en.biz" "Mozilla/3.01 (compatible; Netbox/3.5 R92; Linux 2.2)"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:48 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:48 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:48 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:49 +0000] "-" 408 0 "-" "-"
ns1.customersite.com:80 212.185.56.58 - - [16/Nov/2013:21:32:49 +0000] "-" 408 0 "-" "-"

It appears like some Website based attack / bot right?
Im curious why iptables dont block it, why should htaccess block rule work?

[Updated on: Sat, 16 November 2013 22:24]

Report message to a moderator

 
Read Message
Read Message
Read Message
Read Message
Previous Topic: /usr/bin/vzdump: No such file or directory
Next Topic: Vps with VPN
Goto Forum:
  


Current Time: Tue Jul 23 09:26:49 GMT 2024

Total time taken to generate the page: 0.02355 seconds