attack related question on domain

jessichg

Member
Registered
Joined
Jan 4, 2023
Messages
55
Points
6
Hello,

On shared server, suppose there are large attack on one domain and domain is not using our nameservers, domain is using A record server IP so even we terminated that account, the attack is still large, in that case, even if we terminated account, the domain resolves from server so attack did not get down...

So in that case how to minimize attack on server ?

Thanks
 

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
808
Points
43
You can't, only solution is to get a server with DDoS protection from other providers. Because even if you hidde your domain/ip throught cloudflare etc, the IP of your server was revealed before. Or if that domain/website does not use the shared IP of your server, then nullroute the mentioned IP to get rid of attacks.
 

YouStable

Member
Registered
Joined
Mar 7, 2017
Messages
28
Points
1
The best way to prevent such attacks uses CloudFlare + DDoS Protected Data Centres however you get some limitations as well.
 

jessichg

Member
Registered
Joined
Jan 4, 2023
Messages
55
Points
6
jessichg
Yes but without DDOS server, will it possible to limit the attack like modsecurity?
 

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
808
Points
43
AlbaHost
One is DoS attack, another one is DDoS attack. DoS attack used by some kids can be mitigated with iptables rules etc, DDoS attack is network based.
 

jessichg

Member
Registered
Joined
Jan 4, 2023
Messages
55
Points
6
jessichg
yes, question is same related to dos attack, not related to ddos...

On shared server, suppose there are large attack on one domain and domain is not using our nameservers, domain is using A record server IP so even we terminated that account, the attack is still large, in that case, even if we terminated account, the domain resolves from server so attack did not get down...

So in that case how to minimize attack on server ?
 

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
808
Points
43
AlbaHost
Well you described in your first post "large attack" which i assumed a DDoS attack, however find the IPs in your SSH terminal with command:
Code:
netstat -n
And block them manually with firewall rules, which OS do you have installed on your server?

Apply those rules, but make sure to check if everything is working fine then.

Code:
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP 
/sbin/iptables -t mangle -A PREROUTING -f -j DROP 
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP 
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP
 
Last edited:

jessichg

Member
Registered
Joined
Jan 4, 2023
Messages
55
Points
6
jessichg
Let me clear more about....

1) linux server with centos...
2) the attack on domain with different ip, not server ...
3) The attack can minimize if we delete dns zone file so thay domain will not resolve from server
4) But my question is that if domain using A record to point to server so even deleting dns zone, the domain will point to server so in that case how to minimize the attack
 

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
808
Points
43
AlbaHost
1) linux server with centos...
Alright
2) the attack on domain with different ip, not server ...
The attack cannot be on domain, but on IP! As i've stated in my previous post, if the attack is on different IP and not in main shared servers IP, then nullroute the IP by deleting that IP temporary from your server.
3) The attack can minimize if we delete dns zone file so thay domain will not resolve from server
If you own that domain name sure you can delete the dns zones, but you cant prevent somebody to point the domain to your server's IP if he own the domain in question.
4) But my question is that if domain using A record to point to server so even deleting dns zone, the domain will point to server so in that case how to minimize the attack
I've just provided the clarification and the mitigation that you can take. There is no magic in this case.
 
Newer Threads
Replies
1
Views
868
Replies
2
Views
818
Replies
1
Views
1,031
Replies
11
Views
1,608
Recommended Threads
Replies
10
Views
3,011
Replies
4
Views
4,261
Replies
11
Views
3,293
Replies
4
Views
2,989
Replies
6
Views
2,972

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top