Q: Prevent DDoS attacks with restarting httpd ?
Posted by NameTyper, 01-12-2008, 11:36 AM Hi all Just a short question. Can you restart the httpd to get the server online again while you are under an DDoS attack? The reason for asking is that I was told that when restarting the httpd it should start to work again instantly, and so it seems. But why? doesnt the attack "continue" after the restart ?
Posted by avythe, 01-12-2008, 12:17 PM Restarting the httpd will drop all connections, so when it comes back up, it might be available for a short period of time (until it gets completely flooded again). This is assuming it's an attack on your httpd - if it's a normal DDoS, your entire server will likely be completely inaccessible. I hope that more or less answered your question? Let me know if I need to clarify a bit.
Posted by sirius, 01-12-2008, 01:25 PM Moved to Technical and Security Issues.... Sirius
Posted by Unknown_1, 01-12-2008, 03:30 PM Try using ddos deflate, google it!
Posted by whmcsguru, 01-12-2008, 03:35 PM If you're constantly getting flooded with these, check out something like CSF which should limit the number of connections per ip to your server properly. Either that, or you may want to consider raising maxclients (maybe these are legitimate requests?)
Posted by Unknown_1, 01-12-2008, 03:40 PM Ddos deflate does exactly same thing, but what you gotta take into consideration is it will put strain on your iptables unless you use APF along with it. Do this netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n see whats making the connections, if its just one IP with may connection block it using iptables, if its many IPS with a few connections then yeah your under attack. Last edited by Unknown_1; 01-12-2008 at 03:45 PM.
Posted by subzer0, 01-12-2008, 03:55 PM Maybe one thing he can try to do while under an attack, is to use a script to check # of connections and to restart httpd if it exceeds a particular number. You could schedule this to run every 5-10 minutes via cron. I am no expert on these scripts, but I think using a combination of a netstat with grep on "established", and an if statement to check the # of results, you can probably accomplish this. I think this would be one possible way to combat a DDoS attack.
Posted by whmcsguru, 01-12-2008, 04:02 PM Never run something like this, ever! It's just another way for users to DOS your system to death. Example: You're running this script, and it's found out. Ok, I send 100s of connections to your webserver repeatedly, non stop, through varying IP addresses. It's easily done. Now, every time this script checks something it's going to restart your webserver. Mission accomplished This is exactly what is wrong with using systems like this. They're entirely too easy to work around and FORCE to break the system. The best answer is to raise limits, or install a firewall (apache modules will never work as good as a firewall) to block users FULLY from the system if they have too many connections. Better yet? Create code that will limit the user's connection to the server itself and ban them if they have more than X connections per second. Very easily done in php.
Posted by psyxakias, 01-13-2008, 03:57 AM Obviously linux-tech is right, all you can get with frequent httpd restarts is even more server overloads. If restarting the attacked daemon was stopping service-based attacks, everyone would do it. And even if it was working, it would still cause tons of broken images/downloads and interrupted transactions while the restart occurs. You need to optimize your server and configure your server's firewall and check how it goes. If you're on managed hosting, ask your provider for server optimization.
Posted by karem, 01-13-2008, 11:13 PM i swa script in the past with control panel blocked ip from any scipt and give u option to unblck it and modify time of blocked this script really nice but i cant find any download link any one can help ? i really need panel to show users whos the ip flooding and time etc .. Regards
Posted by ub3r, 01-13-2008, 11:16 PM why don't you just look at your access log?
Posted by karem, 01-13-2008, 11:19 PM i talk to make user see this any one can make it as service on site to make site owner know process and be satesfy and the scrript can work to just one site or scipt to make site owner unblock ips and show what is blocked ip and can change time period of blocked sorry of my bad english i hope iam clear
Posted by ub3r, 01-13-2008, 11:27 PM yeah, i don't understand any more than a few of the words you just put into this thread. Could you try typing that again? Also, why does your signature say "linux system administrator"?
Posted by karem, 01-13-2008, 11:50 PM Hi : sorry for confusion. what I was looking for in my previous post is : 1) web-based-application that show my customer how many ips have been blocked. 2) source of the attack ( the bad ips ). 3) date of the bloking time of the bad IP's. this application reads its data from APF-antidos or any from a custom script . any one aware of a solution like this ? Thanks,
Posted by karem, 01-13-2008, 11:53 PM this application reads its data from APF-antidos or any from a custom script = this application reads its data from APF-antidos log or from any other custom script .