Anti-DDoS [Apache]

[Znote]

I was wondering if anyone could PM me for some clarification on this.

I dont want to really mess with my apache if this wont work properly.

Now, my server has been under attack not as bad as before but it still happens atleast once a day.

I dont want to go into the specifics of what they use, because the sad thing is most people will just enter the program name into google.com lmfao..

So my question, will UDP Floods, and SYN attacks be weakened from this?
it seems alot of OT servers are having this problem nowadays.. the only servers i ever see that are North American with over 250+ online are Cytnara,RPGForge of elements, Collapser..

Now, i know 2 of those are on a VPS/Dedicated with a decent internet line, and Collapser, i believe... if i read right from a earlier post of his he hosts with a nice computer from home (on a good internet)

I've talked to my VPS staff about alternatives to fixing UDP Flood/Syn Packets..

They have tried null routing attacking ip's (still dont see how thats possible with source ip spoofed packets)

They suggested switching my IP (lmfao!!) obviosuly if they found the IP once they can do it again,

And now their final suggestion is a heavy duty firewall, I told them that unless they could promise that it would stop my problem i didnt want it.


So any thoughts?

If you use this cms:
http://otland.net/f118/gesior-acc-znote-prefix-edition-chronic-elements-mystic-spirit-47984/
<Gesior-ACC Znote Prefix Edition is special builded to prevent DoS attacks, as well as to make sure regular users who browse it, don't become a victim of the anti dos system>

And use the DoSHttP 2.0 system. You got a DoS/DDoS secure homesite I can ensure you.

However, this only prevents DoS/DDoS attacks from the apache flood, from the homesite. There is possible to DoS/DDoS attack in other ways than that. But this is the most normal way of being attacked.

 

[javaman]

Nice thread.

I have been monitoring my logs for some time now and am really getting aggravated seeing all these hack attempts coming from various countries (some even in the US).

I am looking for some functionality:

Add OS level block rules (win2k3s) using 'netsh ipsec static add filter filterlist=ipblockfilterlist srcaddr=91.212.127.100 dstaddr=Me'
with DOSSystemCommand

I would also like to somehow capture all the w00tw00t and phpmyadmin* shit and perma ban not only their ip, but their whole ISPs subnet as well. Can mod_security send shell commands?

Maybe I can find some whois command line scriptage that would turn 91.212.127.100 into 91.212.127.0/24 or 80.96.150.135 into 80.96.150.0/23.

I want to do this database style, in other words, I don't want too add dupe entries to me ipsec table. I am guessing in theory though, once it gets "OS blocked", it should cease to show in the apache logs.

I made a configuration include called httpd-firewall.conf, but this seems to be getting out of hand, and I think it isn't even working after it gets too many (unless they know how to get past this)

<Files *>
order deny,allow

# Chinese IP addresses follow:
deny from 58.17.0.0/16 ...
...

I also have mod_security installed, but this seems to block out some legit stuff (maybe I need to tweek the ruleset some more and learn how to do it right)

 

[javaman]

I can't seem to get "DOSSystemCommand" working

I tried:
DOSSystemCommand "cmd /c echo test >> c:/xampp/apache/logs/ddos.log"
DOSSystemCommand "echo test >> c:/xampp/apache/logs/ddos.log"
DOSSystemCommand "filter.bat" (with filter.bat doing said echo-to-file)
DOSSystemCommand "cmd /c echo test >> c:\xampp\apache\logs\ddos.log"
DOSSystemCommand "cmd /c echo test >> c:\\xampp\\apache\\logs\\ddos.log"
DOSSystemCommand "echo %s >> /xampp/apache/logs/ddos.log"


I know I got mod_dosevasive22 working according to ragal's first post (At least when I F5-refresh the browser a bunch from another address I get "Possible DOS Attack" in my error.log which is in the mod_dosevasive22.c file.

I also looked at DOSSystemCommand which refers to get_system_command which refers to system_command which does _snprintf(filename, sizeof(filename), system_command, r->connection->remote_ip); then system(filename);

To me, this should be working, but I cannot figure out why it isn't.

Any ideas?

 

[hans henrik]

dont know if this is already posted but,
100% protection=Bullshit, theres no getting away from the fact that INFO IS SENT TO YOUR IP
Mass Ping protection: BULLSHIT, the OS's ping service has nothing to do with apache.. (well the equivalent would be keep-connection-alive witch sends info somewhat similar to ping..)

but else, dosevasive is helpfull

 

[Gramwsloneczko]

OMG it works!!!
Thank you very much !!
Rep++

SunnShine

 

[christiandb]

well i know this mod, and it works well with

DOSHashTableSize        3097
    DOSPageCount            2
    DOSSiteCount            50
    DOSPageInterval         1
    DOSSiteInterval         1
    DOSBlockingPeriod       20
    DOSSystemCommand        none
    DOSWhitelist            localhost, 127.0.0.1

, but GESIOR-ACC now cant create any character cuz when you are typing the nickname you get blocked, ok the solution is put a bigger number in DOSPageCount, but if u put a bigger number the mod doesnt work cuz apache starts to crash cuz of syn again... any sugestion ??

had the same problem, remove the checkname function at accountmanagement.php

 

[TheUltimateJay]

Thanks!!!

 

[Santy]

100% by me

Oh, is it '100% by you'?
I'm not so sure about that.

Maybe how it was written (in a poorly written way, by the way), is '100% by you'.
But you did not find this out by yourself.

plxno lies & stoel cred00ts

 

[Wellis]

Oh, is it '100% by you'?
I'm not so sure about that.

Maybe how it was written (in a poorly written way, by the way), is '100% by you'.
But you did not find this out by yourself.

plxno lies & stoel cred00ts

Ôwned ?!

 

[OriginalTibia]

nice

 

[Atleta]

Nice thx :d

 

[stian]

This doesn't give any protection at all against SYN and half open attacks.

 

[Raph662]

nice... the download link is broke!!!!

 

[Helga]

Now you to make your Apache 100% safe against DDoS-Attacks!

i lol'd

 

[Tony32]

Thank you for this! rep++!

 

[Jeinersito]

Doesn't work for me, why¿?

 

[Bazzese]

sounds awesome ;O if it works ima rep ya

 

[Korax]

If you get attacked by more than 100 bots your servers internet is off for hours, this protects you from DoS, not DDoS.

 

[Znote]

If you get attacked by more than 100 bots your servers internet is off for hours, this protects you from DoS, not DDoS.

If you use my trick to use an external image host as well as this, the bots will have a hard time. And if you have 10+Mbps upload, you could actually withstand 100 bots if you adjust it a little.

However, as previous post said, this does not block all kind of DoS/DDoS attacks. It's actually pretty limited.

 

[DanJ93]

Thx ;]