Server under DDOS attack - How to find out IPs?

linux apache-2.2 ddos

Solution 1:

tail -n 10000 yourweblog.log|cut -f 1 -d ' '|sort|uniq -c|sort -nr|more

Take a look at the top IP addresses. If any stand out from the others, those would be the ones to firewall.

netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

This will look at the currently active connections to see if there are any IPs connecting to port 80. You might need to alter the cut -c 45- as the IP address may not start at column 45. If someone was doing a UDP flood to your webserver, this would pick it up as well.

On the off chance that neither of these show any IPs that are excessively out of the norm, you would need to assume that you have a botnet attacking you and would need to look for particular patterns in the logs to see what they are doing. A common attack against wordpress sites is:

GET /index.php? HTTP/1.0

If you look through the access logs for your website, you might be able to do something like:

cut -f 2 -d '"' yourweblog.log|cut -f 2 -d ' '|sort|uniq -c|sort -nr|more

which would show you the most commonly hit URLs. You might find that they are hitting a particular script rather than loading the entire site.

cut -f 4 -d '"' yourweblog.log|sort|uniq -c|sort -nr|more

would allow you to see common UserAgents. It is possible that they are using a single UserAgent in their attack.

The trick is to find something in common with the attack traffic that doesn't exist in your normal traffic and then filter that through iptables, mod_rewrite or upstream with your webhost. If you are getting hit with Slowloris, Apache 2.2.15 now has the reqtimeout module which allows you to configure some settings to better protect against Slowloris.

Solution 2:

FYI - You should try to work with your ISP to see if they can block it upstream of you.

Solution 3:

Some good tips here. I'd also add this:

netstat -an | grep ESTABLISHED | awk '\''{print $5}'\'' | awk -F: '\''{print $1}'\'' | sort | uniq -c | awk '\''{ printf("%s\t%s\t",$2,$1); for (i = 0; i < $1; i++) {printf("*")}; print ""}'\''

Put this under an alias (nn, for instance). This will give you a "graphical" perspective of the ips with more established connections.

Hope this helps.

For those who couldn't get this to work I have fixed the syntax so it runs for me under Ubuntu:

netstat -an|grep ESTABLISHED|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|awk '{ printf("%s\t%s\t",$2,$1); for (i = 0; i < $1; i++) {printf("*")}; print ""}'

Related

Is there an alternative to /dev/urandom?
What is the best way to transfer a single large file over a high-speed, high-latency WAN link?
What is your list of programs to install to Windows after a fresh install?
Alternatives to Nagios
Responsive css background images
selenium with scrapy for dynamic page
Keras, How to get the output of each layer?
How to pause / sleep thread or process in Android?
Hidden features of JSP/Servlet [closed]
SET NOCOUNT ON usage
Purpose of Unions in C and C++
Detect network connection type on Android