Find DDOS Source

roboticpuppies · Dec 18, 2019

Hello,

Last night my server suffered from DDOS attack. What I know is the attack was addressed to port 5632, which is not opened on my server. I think that one of the account inside the servers might be the source of this attack. It pretends to request something to the internet, and then it gets the reply and become massive traffic addressed to my server. How to find these accounts that did this so I can prevent the attack in the future? I will gladly accept any recommendation on vendor that can mitigate this kind of attack.

Thank you.

tuxandrew · Dec 18, 2019

Basically you need to have a detailed check on the listing connections to the ports and make sure that the connections are made from any specific IPs. If you are having lots of account it is difficult to identify exact target domain or url. For that you need to check the webserver access logs to see which url is being accessed a lot during time frame from which IP or range of IPs.

The investigation steps should be done based on your operating sytem or hosting control panel setup. If you could shed more light on this, I can help a bit more about the issue.

roboticpuppies · Dec 18, 2019

I'm using cPanel and Cloudlinux. I use cPhulk and CSF to secure my server. Unfortunately there are lots of accounts in this server, so yeah I'm having difficulty to solve this issue. I'll take a look at the access logs too, thank you.

tuxandrew · Dec 18, 2019

Well you need to go for a thorough check over the access_logs to see which IPs made lot of connections and the urls they accessed.

# cat /usr/local/apace/logs/access_log | grep "/17/Dec/2019" | awk '{print $1}'| sort| uniq -c | sort -n

The result will give you a count of unique connections from external IPs. You can cross check the access logs to see which url was accessed and by the IPs with highest number of connections.

For any SYN FLOOD attacks, you can check the connection from command line.

netstat -tuna | grep :80 | grep SYN_RECV

- Limit the connections rate in CSF setting mitigate the attacks
- Tweaking Kernel parameters like SYN cookies,tcp_synack_retries,Lowering the timeout value for SYN_RECV,prevent IP spoofing etc.
- If the access is not from random IPs, you can block the IPs in CSF.
- Tweak connection rate limits in CSF to limit frequent access from same source in short intervals.

1. If it is heavy DDOS launching from different subnet or from different geographic locations then you need ask the provider for any effective network filters to mitigate the attack.

2. You can opt CloudFlare CDN services for your domains to block DDOS attacks.

roboticpuppies · Dec 18, 2019

Thank you so much. I'll check again. The problem is even if I block the traffic from my router, the traffic still going in to the datacenter. So I have to request to my provider. I'll mark this thread as solved.

tuxandrew · Dec 18, 2019

You are welcome

serveria · Dec 19, 2019

You could ask your provider to switch the IP and null-route the old one. Then disable ping on the new IP. This solution won't suit you if you're running some IP-dependent services.

Find DDOS Source

roboticpuppies

New member

tuxandrew

Well-known member

roboticpuppies

New member

tuxandrew

Well-known member

roboticpuppies

New member

tuxandrew

Well-known member

serveria

Member

Latest posts New threads

Latest posts

New threads

Latest Hosting Offers New Reviews

Latest hosting offers

Popular Contributors - Past 30 Days

Sponsors

Tag Cloud