DoS/DDoS Attack

**TerryH** · 05-24-2008 04:07 PM

My server will not load, and my browser returns connection resets, timeouts, and not-found errors. Technical support informs me that the server is overwhelmed with requests by user "apache"--the Web-access account.

I'm going to assume that that adds up to a (D)DoS attack. Now can anyone here tell me how to harden my server against that sort of thing?

**Pawel Kowalski** · 05-24-2008 06:20 PM

This doesn't have to mean it is a Dos attack, are you sure that traffic to your web site hasn't increased or have you changed any settings in apache? When you are in SSH can you do command top and paste the results here?

If I suspect a dos attack the first thing I do is run a packet sniffer such as ethereal to see what is happening, but I do this in a windows enviroment. I'm not sure if ethereal comes in a linux package but I think tcpdump is a similar command line utility. See if you can run that and then paste the results here. Maybe someone else that is more familiar with linux than I am can help you, but if this is in fact a dos attack you will have to know what kind of attack it is before you can do anything to try and stop it. If you have a hard time reading tcpdump because of the text interface you can download the following program to analyze the results:

http://www.tcptrace.org/windows.html

**Vin DSL** · 05-24-2008 09:34 PM

Interesting!

Adam and Steve, et al, are probably attacking you!

Generally speaking, web hosts kill sites that attract DOS attacks, but yours may be an exception to the rule - hopefully!

Ever heard of irreducible complexity?

**TerryH** · 05-24-2008 09:48 PM

The site came up by itself, and that's the only way that I could get in.

Here is the output from top, as of right now:

Tasks: 105 total, 2 running, 103 sleeping, 0 stopped, 0 zombie
Cpu(s): 9.0%us, 0.5%sy, 0.0%ni, 90.2%id, 0.2%wa, 0.0%hi, 0.2%si, 0.0%st
Mem: 1002500k total, 418080k used, 584420k free, 18916k buffers
Swap: 2048276k total, 21384k used, 2026892k free, 181024k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
28391 apache 16 0 45800 25m 4652 S 14 2.6 0:03.65 httpd
28395 apache 16 0 43256 23m 4600 R 4 2.4 0:01.75 httpd
1 root 15 0 2044 96 68 S 0 0.0 3:43.90 init
2 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/0
3 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
4 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
5 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/1
6 root 36 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
8 root 10 -5 0 0 0 S 0 0.0 0:00.01 events/0
9 root 10 -5 0 0 0 S 0 0.0 0:00.03 events/1
10 root 10 -5 0 0 0 S 0 0.0 0:00.00 khelper
11 root 10 -5 0 0 0 S 0 0.0 0:00.08 kthread
15 root 14 -5 0 0 0 S 0 0.0 0:02.27 kblockd/0
16 root 12 -5 0 0 0 S 0 0.0 0:00.12 kblockd/1
17 root 15 -5 0 0 0 S 0 0.0 0:00.00 kacpid
117 root 15 -5 0 0 0 S 0 0.0 0:00.00 cqueue/0
118 root 16 -5 0 0 0 S 0 0.0 0:00.00 cqueue/1
121 root 10 -5 0 0 0 S 0 0.0 0:00.00 khubd
123 root 10 -5 0 0 0 S 0 0.0 0:00.00 kseriod
192 root 18 -5 0 0 0 S 0 0.0 466:18.73 kswapd0
193 root 18 -5 0 0 0 S 0 0.0 0:00.00 aio/0
194 root 18 -5 0 0 0 S 0 0.0 0:00.00 aio/1
344 root 11 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused
375 root 12 -5 0 0 0 S 0 0.0 0:00.00 ata/0
376 root 12 -5 0 0 0 S 0 0.0 0:00.00 ata/1
377 root 16 -5 0 0 0 S 0 0.0 0:00.00 ata_aux
381 root 13 -5 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
382 root 10 -5 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
383 root 10 -5 0 0 0 S 0 0.0 0:58.60 kjournald
410 root 10 -5 0 0 0 S 0 0.0 0:00.02 kauditd
444 root 21 -4 2220 16 12 S 0 0.0 0:00.07 udevd

I just tried to install ethereal (they call it "wireshark" now). But when I try to run that as a command, it can't be found. What directory might I usually find that in?

**Pawel Kowalski** · 05-24-2008 10:18 PM

I can't comment on your installation of ethereal (sorry, I still can't get used to calling it wireshark) since I'm not that familiar with linux but it does look like apache is eating up a lot of resources. What kind of traffic do you get on your web site and what kind of web site do you host (any scripts, databases, etc?).

Again, don't automatically assume this is a dos attack. Once you do get a capture file feel free to pm it to me and I'll see if there is anything there that would represent a dos attack.

**Vin DSL** · 05-24-2008 10:23 PM

Heh!

Why would a 'creationist' web site be attacked?

Doesn't make any sense, right, male booby licker?

**TerryH** · 05-24-2008 10:42 PM

It's a wiki site, and uses MediaWiki version 1.12 (the current snapshot release). It is a heavy user of PHP.

There's a Google bot that crawls around on the site. Maybe I need to edit robots.txt to keep it out of a few places. Does that sound right?

**Pawel Kowalski** · 05-24-2008 10:53 PM

Since you are having long periods of down time right now any way can you try disabling meda wiki for an hour or so and see if that problem is resolved?

If it is then this is not a dos attack and you dont have to worry about doing a packet capture.

It's weird, I am having issues with any dynamic web site (especially forums) running extremely slow on my servers too. They will work and then lag like crazy, I've written 3 support tickets and always got a canned response. But it started happening again today and this time support might actually be looking in to this, they've been working on my ticket for over 3 hours (figners crossed). Not sure if the issue is related to the problem you are having but I thought I would mention it.

LinkBack

Thread Tools

Display

DoS/DDoS Attack

Bookmarks

Bookmarks

Posting Permissions