Find DDOS Source

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
Hello,

Last night my server suffered from DDOS attack. What I know is the attack was addressed to port 5632, which is not opened on my server. I think that one of the account inside the servers might be the source of this attack. It pretends to request something to the internet, and then it gets the reply and become massive traffic addressed to my server. How to find these accounts that did this so I can prevent the attack in the future? I will gladly accept any recommendation on vendor that can mitigate this kind of attack.

Thank you.
 

tuxandrew

Well-known member
Registered
Joined
Aug 19, 2012
Messages
126
Points
18
Basically you need to have a detailed check on the listing connections to the ports and make sure that the connections are made from any specific IPs. If you are having lots of account it is difficult to identify exact target domain or url. For that you need to check the webserver access logs to see which url is being accessed a lot during time frame from which IP or range of IPs.

The investigation steps should be done based on your operating sytem or hosting control panel setup. If you could shed more light on this, I can help a bit more about the issue.
 

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
I'm using cPanel and Cloudlinux. I use cPhulk and CSF to secure my server. Unfortunately there are lots of accounts in this server, so yeah I'm having difficulty to solve this issue. I'll take a look at the access logs too, thank you.
 

tuxandrew

Well-known member
Registered
Joined
Aug 19, 2012
Messages
126
Points
18
Well you need to go for a thorough check over the access_logs to see which IPs made lot of connections and the urls they accessed.

# cat /usr/local/apace/logs/access_log | grep "/17/Dec/2019" | awk '{print $1}'| sort| uniq -c | sort -n

The result will give you a count of unique connections from external IPs. You can cross check the access logs to see which url was accessed and by the IPs with highest number of connections.

For any SYN FLOOD attacks, you can check the connection from command line.

netstat -tuna | grep :80 | grep SYN_RECV

- Limit the connections rate in CSF setting mitigate the attacks
- Tweaking Kernel parameters like SYN cookies,tcp_synack_retries,Lowering the timeout value for SYN_RECV,prevent IP spoofing etc.
- If the access is not from random IPs, you can block the IPs in CSF.
- Tweak connection rate limits in CSF to limit frequent access from same source in short intervals.

1. If it is heavy DDOS launching from different subnet or from different geographic locations then you need ask the provider for any effective network filters to mitigate the attack.

2. You can opt CloudFlare CDN services for your domains to block DDOS attacks.
 
Last edited:

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
Thank you so much. I'll check again. The problem is even if I block the traffic from my router, the traffic still going in to the datacenter. So I have to request to my provider. I'll mark this thread as solved.
 

serveria

Member
Registered
Joined
Dec 7, 2019
Messages
36
Points
8
You could ask your provider to switch the IP and null-route the old one. Then disable ping on the new IP. This solution won't suit you if you're running some IP-dependent services.
 

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top