Hi Tony,

Well, a DDoS solution it is. :)

When they realise that they have no effect they are likely to move on.  And you can gradually open your server up as need be, once you have established which machines are culpable.

Consider this the rough and ready farmer's method.

It's imperfect I know but it should work until you get to a garage.

Cheers,








Le Mardi 31 décembre 2013 2h06, Tony Andersson <BitFolkList@tony-andersson.com> a écrit :
Re: [bitfolk] Strange DDOS attack?
Hi Max, 

Thanks for the idea, but problem then would be that no-one can connect to any web site on the server, nor can anyone actually send legit e-mails to the domain.
I could just turn the vps off completely instead in that case... :-(

have turned off IP v6, and the attacks on port 25 seems to have eased off, but on port 80 they are still ongoing.

Cheers,
__
/ony
-------
Tuesday, December 31, 2013, 12:34:58 AM, Max wrote:




% cat >> /etc/hosts.deny
ALL: ALL except your.home.ip.here

might help, as might this:

% cat /var/log/apache2/access.log | awk '{printf "echo 'ALL: %s'>>/etc/hosts.deny\n",$1}' | /bin/sh 

this assumes you have installed tcpd

cheers




Le Mardi 31 décembre 2013 1h19, Tony Andersson <BitFolkList@tony-andersson.com> a écrit :
Realised the second after I pressed the send button that the answer to
the ban issue is because those attacks are on ip v6

root@bitfolk:/etc/fail2ban# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State
tcp6      0      1 85.119.82.79:80        121.168.45.218:1446    FIN_WAIT1
tcp6      0      1 85.119.82.79:80        24.186.158.213:61301    FIN_WAIT1
tcp6      0      1 85.119.82.79:80        67.180.245.251:17277    FIN_WAIT1
tcp6      0      1 85.119.82.79:80        71.218.243.152:25311    FIN_WAIT1

Now, I have to figure out how to turn IP v6 off on the vps then...
__
/ony
-------
Tuesday, December 31, 2013, 12:11:34 AM, Tony wrote:

> Hi all,

> Have a strange attack happening to one of my domains, on the web
> server. It is a small privatish phpBB forum with nothing exciting,
> interesting  or  valuable  going  on  at all. And it is the only one
> attacked out of a handful web sites on the server.

> The site has had a lot of incorrect requests to the server since
> before Christmas. I get POST requests in the region of two per second.
> There's noting in the post request and it is to the root of the
> domain. Like this:
> 184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301
> - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301
> - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

> The 301 response is something I set up when I discovered this. There
> should be no POST requests to /, so I do a 301 permanent redirect back
> to the client's own IP address. But that seems to have had no effect
> at all. The requests are still constantly coming in.

> I have set up a filter in fail2ban for anyone POSTing to '/' so they
> should be completely banned (using action 'iptables-allports'). But
> due to the sheer amount of different addresses attacking it seems to
> have little effect. Plus the fact I quite often see this in the
> fail2ban log:
> 2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned

> So it seems that despite being banned they can still send a request to
> the Apache server? Not sure why, the iptables -L seems to list an
> awful lot of IP addresses and domain names. So the fail2ban filter is
> working as it should with setting up rules in iptables.

> At the same time, postfix is getting a large amount of requests on
> port 25 too:

> Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14]
> Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after
> UNKNOWN from unknown[76.2.133.225]
> Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225]
> Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226]
> Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after
> UNKNOWN from unknown[173.220.57.214]
> Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after
> UNKNOWN from unknown[72.135.3.145]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after
> UNKNOWN from unknown[173.246.215.147]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147]
> Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after
> UNKNOWN from unknown[180.67.178.14]
> Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14]

> And in the mail.warn log:

> Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP
> command from unknown[96.38.26.186]: UY:l??????????z??????\?
> Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP
> command from unknown[181.67.172.79]: U:??[6?
> Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP
> command from unknown[24.39.251.34]:
> @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E?
> Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP
> command from unknown[72.181.54.101]: gu:?R?M????

> I can only conclude this is sent to the same domain name as is
> attacked on port 80...

> Now I am worried all this will consume up my bandwidth allowance (as
> well as eating into system resources of course), and I have run out of ideas how
> to stop this. Any suggestions are most welcome!

> Thanks,
> __
> /ony




> _______________________________________________
> users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users






_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users






_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users