Ddos Attack Help Needed

dheeraj4uuu

May 29 2009, 07:50 PM

Hello,

My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..

CODE

netstat -an | grep :80 | sort

and the result is this

CODE

tcp		0   1491 ::ffff:95.211.10.169:80	 ::ffff:213.215.100.110:2263 LAST_ACK	
tcp		0   1493 ::ffff:95.211.10.169:80	 ::ffff:85.207.126.231:52694 LAST_ACK	
tcp		0   1533 ::ffff:95.211.10.169:80	 ::ffff:207.54.100.81:1907   LAST_ACK	
tcp		0   1555 ::ffff:95.211.10.169:80	 ::ffff:94.216.199.59:49666  LAST_ACK	
tcp		0   1556 ::ffff:95.211.10.169:80	 ::ffff:79.199.224.51:1250   LAST_ACK	
tcp		0   1558 ::ffff:95.211.10.169:80	 ::ffff:207.219.125.9:4445   LAST_ACK	
tcp		0   1569 ::ffff:95.211.10.169:80	 ::ffff:122.161.153.56:2788  LAST_ACK	
tcp		0   1579 ::ffff:95.211.10.169:80	 ::ffff:62.31.54.30:50167	LAST_ACK	
tcp		0   1584 ::ffff:95.211.10.169:80	 ::ffff:79.101.147.239:54629 LAST_ACK	
tcp		0   1604 ::ffff:95.211.10.169:80	 ::ffff:89.132.65.227:4880   LAST_ACK	
tcp		0   1617 ::ffff:95.211.10.169:80	 ::ffff:82.25.181.8:4227	 LAST_ACK	
tcp		0   1628 ::ffff:95.211.10.169:80	 ::ffff:77.46.252.70:2116	LAST_ACK	
tcp		0   1723 ::ffff:95.211.10.169:80	 ::ffff:88.178.111.6:3838	LAST_ACK	
tcp		0   3252 ::ffff:95.211.10.169:80	 ::ffff:76.120.33.115:4181   LAST_ACK	
tcp	  106	  0 ::ffff:95.211.10.169:80	 ::ffff:174.132.216.26:38244 ESTABLISHED 
tcp	  163	  0 ::ffff:95.211.10.169:80	 ::ffff:193.2.216.130:41690  CLOSE_WAIT  
tcp	  164	  0 ::ffff:95.211.10.169:80	 ::ffff:76.174.2.134:65249   CLOSE_WAIT  
tcp	  177	  0 ::ffff:95.211.10.169:80	 ::ffff:119.63.194.124:46871 CLOSE_WAIT  
tcp	  196	  0 ::ffff:95.211.10.169:80	 ::ffff:77.232.69.160:51396  CLOSE_WAIT  
tcp	  213	  0 ::ffff:95.211.10.169:80	 ::ffff:174.36.52.105:38332  CLOSE_WAIT  
tcp	  218	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:45186  CLOSE_WAIT  
tcp	  218	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:46711  CLOSE_WAIT  
tcp	  218	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:47529  CLOSE_WAIT  
tcp	  219	  0 ::ffff:95.211.10.169:80	 ::ffff:67.228.157.57:53628  CLOSE_WAIT  
tcp	  225	  0 ::ffff:95.211.10.169:80	 ::ffff:75.7.19.214:61179	CLOSE_WAIT  
tcp	  226	  0 ::ffff:95.211.10.169:80	 ::ffff:174.36.52.109:57823  CLOSE_WAIT  
tcp	  226	  0 ::ffff:95.211.10.169:80	 ::ffff:174.36.52.98:45852   CLOSE_WAIT  
tcp	  228	  0 ::ffff:95.211.10.169:80	 ::ffff:174.36.52.98:32786   CLOSE_WAIT  
tcp	  231	  0 ::ffff:95.211.10.169:80	 ::ffff:75.37.34.143:50308   CLOSE_WAIT  
tcp	  247	  0 ::ffff:95.211.10.169:80	 ::ffff:174.36.52.110:35686  CLOSE_WAIT  
tcp	  253	  0 ::ffff:95.211.10.169:80	 ::ffff:75.37.34.143:50198   CLOSE_WAIT  
tcp	  253	  0 ::ffff:95.211.10.169:80	 ::ffff:97.74.24.1:34023	 CLOSE_WAIT  
tcp	  275	  0 ::ffff:95.211.10.169:80	 ::ffff:66.249.68.230:33723  CLOSE_WAIT  
tcp	  332	  0 ::ffff:95.211.10.169:80	 ::ffff:74.55.61.2:3147	  CLOSE_WAIT  
tcp	  367	  0 ::ffff:95.211.10.169:80	 ::ffff:213.55.78.183:38888  ESTABLISHED 
tcp	  368	  0 ::ffff:95.211.10.169:80	 ::ffff:93.86.209.115:58909  CLOSE_WAIT  
tcp	  374	  0 ::ffff:95.211.10.169:80	 ::ffff:87.208.191.218:51908 ESTABLISHED 
tcp	  380	  0 ::ffff:95.211.10.169:80	 ::ffff:82.236.100.52:3241   ESTABLISHED 
tcp	  405	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:45525  CLOSE_WAIT  
tcp	  405	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:46994  CLOSE_WAIT  
tcp	  405	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:48590  CLOSE_WAIT  
tcp	  413	  0 ::ffff:95.211.10.169:80	 ::ffff:71.254.106.108:50578 ESTABLISHED 
tcp	  417	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:49632  CLOSE_WAIT  
tcp	  420	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:55229  CLOSE_WAIT  
tcp	  434	  0 ::ffff:95.211.10.169:80	 ::ffff:92.249.214.140:49432 ESTABLISHED 
tcp	  445	  0 ::ffff:95.211.10.169:80	 ::ffff:189.19.6.79:62627	CLOSE_WAIT  
tcp	  463	  0 ::ffff:95.211.10.169:80	 ::ffff:79.47.143.218:1558   ESTABLISHED 
tcp	  468	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:45015  CLOSE_WAIT  
tcp	  468	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:46515  CLOSE_WAIT  
tcp	  468	  0 ::ffff:95.211.10.169:80	 ::ffff:72.30.142.183:48100  CLOSE_WAIT  
tcp	  502	  0 ::ffff:95.211.10.169:80	 ::ffff:85.193.245.38:55076  ESTABLISHED 
tcp	  506	  0 ::ffff:95.211.10.169:80	 ::ffff:72.252.26.104:53420  ESTABLISHED 
tcp	  523	  0 ::ffff:95.211.10.169:80	 ::ffff:212.175.112.14:53611 CLOSE_WAIT  
tcp	  528	  0 ::ffff:95.211.10.169:80	 ::ffff:24.203.90.163:2290   ESTABLISHED 
tcp	  529	  0 ::ffff:95.211.10.169:80	 ::ffff:129.1.31.93:4646	 CLOSE_WAIT  
tcp	  536	  0 ::ffff:95.211.10.169:80	 ::ffff:200.77.144.43:42023  ESTABLISHED 
tcp	  538	  0 ::ffff:95.211.10.169:80	 ::ffff:87.208.191.218:51909 ESTABLISHED 
tcp	  547	  0 ::ffff:95.211.10.169:80	 ::ffff:89.134.70.155:4610   CLOSE_WAIT  
tcp	  549	  0 ::ffff:95.211.10.169:80	 ::ffff:91.150.114.16:11949  ESTABLISHED 
tcp	  552	  0 ::ffff:95.211.10.169:80	 ::ffff:201.29.216.114:61179 CLOSE_WAIT  
tcp	  553	  0 ::ffff:95.211.10.169:80	 ::ffff:69.250.23.83:38959   CLOSE_WAIT  
tcp	  553	  0 ::ffff:95.211.10.169:80	 ::ffff:91.150.114.16:11948  ESTABLISHED 
tcp	  556	  0 ::ffff:95.211.10.169:80	 ::ffff:24.238.26.131:4387   CLOSE_WAIT  
tcp	  556	  0 ::ffff:95.211.10.169:80	 ::ffff:24.238.26.131:4388   CLOSE_WAIT  
tcp	  556	  0 ::ffff:95.211.10.169:80	 ::ffff:91.150.114.16:11946  ESTABLISHED 
tcp	  561	  0 ::ffff:95.211.10.169:80	 ::ffff:91.150.114.16:11945  ESTABLISHED 
tcp	  565	  0 ::ffff:95.211.10.169:80	 ::ffff:94.189.144.75:62532  CLOSE_WAIT  
tcp	  566	  0 ::ffff:95.211.10.169:80	 ::ffff:69.250.23.83:39887   CLOSE_WAIT  
tcp	  566	  0 ::ffff:95.211.10.169:80	 ::ffff:71.105.25.22:50343   CLOSE_WAIT  
tcp	  569	  0 ::ffff:95.211.10.169:80	 ::ffff:87.114.146.77:49670  CLOSE_WAIT  
tcp	  572	  0 ::ffff:95.211.10.169:80	 ::ffff:69.250.23.83:36593   CLOSE_WAIT  
tcp	  572	  0 ::ffff:95.211.10.169:80	 ::ffff:69.250.23.83:42953   CLOSE_WAIT  
tcp	  572	  0 ::ffff:95.211.10.169:80	 ::ffff:79.55.86.219:50245   CLOSE_WAIT  
tcp	  574	  0 ::ffff:95.211.10.169:80	 ::ffff:77.51.10.24:46057	CLOSE_WAIT  
tcp	  577	  0 ::ffff:95.211.10.169:80	 ::ffff:87.196.21.10:49359   CLOSE_WAIT  
tcp	  583	  0 ::ffff:95.211.10.169:80	 ::ffff:193.179.147.25:14006 CLOSE_WAIT  
tcp	  584	  0 ::ffff:95.211.10.169:80	 ::ffff:188.48.82.219:49322  CLOSE_WAIT  
tcp	  590	  0 ::ffff:95.211.10.169:80	 ::ffff:120.50.180.171:2153  CLOSE_WAIT  
tcp	  604	  0 ::ffff:95.211.10.169:80	 ::ffff:77.51.10.24:46055	CLOSE_WAIT  
tcp	  612	  0 ::ffff:95.211.10.169:80	 ::ffff:77.51.10.24:46056	CLOSE_WAIT  
tcp	  613	  0 ::ffff:95.211.10.169:80	 ::ffff:86.49.14.151:61271   ESTABLISHED 
tcp	  620	  0 ::ffff:95.211.10.169:80	 ::ffff:89.137.146.69:2894   CLOSE_WAIT  
tcp	  621	  0 ::ffff:95.211.10.169:80	 ::ffff:76.225.187.232:61191 ESTABLISHED 
tcp	  628	  0 ::ffff:95.211.10.169:80	 ::ffff:189.84.86.105:1599   CLOSE_WAIT  
tcp	  628	  0 ::ffff:95.211.10.169:80	 ::ffff:189.84.86.105:1601   CLOSE_WAIT  
tcp	  628	  0 ::ffff:95.211.10.169:80	 ::ffff:189.84.86.105:1603   CLOSE_WAIT  
tcp	  632	  0 ::ffff:95.211.10.169:80	 ::ffff:41.5.28.26:18778	 CLOSE_WAIT  
tcp	  634	  0 ::ffff:95.211.10.169:80	 ::ffff:189.30.226.197:61086 CLOSE_WAIT  
tcp	  643	  0 ::ffff:95.211.10.169:80	 ::ffff:189.123.210.44:4998  CLOSE_WAIT  
tcp	  649	  0 ::ffff:95.211.10.169:80	 ::ffff:24.250.124.104:42269 CLOSE_WAIT  
tcp	  651	  0 ::ffff:95.211.10.169:80	 ::ffff:67.10.160.58:32969   CLOSE_WAIT  
tcp	  655	  0 ::ffff:95.211.10.169:80	 ::ffff:125.165.64.213:1462  CLOSE_WAIT  
tcp	  656	  0 ::ffff:95.211.10.169:80	 ::ffff:201.34.141.37:45240  ESTABLISHED 
tcp	  661	  0 ::ffff:95.211.10.169:80	 ::ffff:194.80.32.10:43557   CLOSE_WAIT  
tcp	  726	  0 ::ffff:95.211.10.169:80	 ::ffff:24.177.14.59:1390	CLOSE_WAIT  
tcp	  731	  0 ::ffff:95.211.10.169:80	 ::ffff:200.2.152.130:41983  CLOSE_WAIT  
tcp	  733	  0 ::ffff:95.211.10.169:80	 ::ffff:90.40.196.232:52809  ESTABLISHED 
tcp	  733	  0 ::ffff:95.211.10.169:80	 ::ffff:90.40.196.232:52816  ESTABLISHED 
tcp	  760	  0 ::ffff:95.211.10.169:80	 ::ffff:74.216.117.95:60982  CLOSE_WAIT  
tcp	  763	  0 ::ffff:95.211.10.169:80	 ::ffff:220.227.41.243:42352 ESTABLISHED 
tcp	  865	  0 ::ffff:95.211.10.169:80	 ::ffff:83.103.111.12:2905   ESTABLISHED 
tcp	  975	  0 ::ffff:95.211.10.169:80	 ::ffff:82.80.156.64:1263	CLOSE_WAIT

Am i under DDos...Attack ..if so please tell me how to avoid this...

Comment/Reply (w/o sign-up)

CrazyRob

May 29 2009, 09:38 PM

You need to null route the IP address... Ask your upstream to do this for you

Comment/Reply (w/o sign-up)

-Sky-

May 29 2009, 10:20 PM

Well, by the looks of things, it looks like your server has been attacked. Do you have a Firewall installed? If not, use the Firewall I have provided in the RS link.

Read the readme file on how to configure the firewall script.

CODE

http://rapidshare.com/files/238693036/InV-Firewall_Script_1.0.0.zip

Comment/Reply (w/o sign-up)

frozen.fish

May 31 2009, 11:33 PM

do i need to install that on shared servers? or the hosting company will take care of that?

Comment/Reply (w/o sign-up)