[ilugd] Ddos Attack

Mon, 01 Nov 2004 00:09:05 -0800 

Hi All,

I am facing the Ddos attack on a domain, where ever I host that website, no
one able to live that website for more than 3 to 4hours.

The Ddos attack force to down that website if on shared hosting then all
other sites goes down, or any dedicated server also same problem.

I have Cisco pix firewall, but the attack is coming on port 80 with more
than 25,000 ip address.


Some logs are below

On linux Redhat ES 3.0

Oct 26 15:06:10 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=9.58.40.74 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=56076 DF
PROTO=TCP SPT=32389 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:06:30 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=82.210.64.130 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=33854
DF PROTO=TCP SPT=10167 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:06:50 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=85.126.44.241 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=19251
DF PROTO=TCP SPT=61100 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:07:11 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=60.103.222.149 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=44079
DF PROTO=TCP SPT=20392 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:07:30 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=66.255.51.206 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=18178
DF PROTO=TCP SPT=60027 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:07:56 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=61.145.16.129 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=12097
DF PROTO=TCP SPT=53946 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:08:27 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=61.91.236.85 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=21172
DF PROTO=TCP SPT=63021 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:08:30 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=81.179.174.30 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=45293
DF PROTO=TCP SPT=21606 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:08:50 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=40.109.19.221 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=28169
DF PROTO=TCP SPT=4482 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 26 15:09:10 hostname kernel: IPT SYN-FLOOD: IN=eth1 OUT=eth1
SRC=4.116.173.52 DST=website ip LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=2634 DF
PROTO=TCP SPT=44483 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 



On windows 2003 server

  TCP    my server ip:80         3.6.246.179:65246      SYN_RECEIVED
  TCP    my server ip:80         3.8.214.12:63037       SYN_RECEIVED
  TCP    my server ip:80         3.11.178.239:4959      SYN_RECEIVED
  TCP    my server ip:80         3.12.96.146:63565      SYN_RECEIVED
  TCP    my server ip:80         3.16.159.122:4377      SYN_RECEIVED
  TCP    my server ip:80         3.18.98.184:65112      SYN_RECEIVED
  TCP    my server ip:80         3.21.56.21:8336        SYN_RECEIVED
  TCP    my server ip:80         3.25.60.157:4210       SYN_RECEIVED
  TCP    my server ip:80         3.26.83.30:62057       SYN_RECEIVED
  TCP    my server ip:80         3.29.151.40:6726       SYN_RECEIVED
  TCP    my server ip:80         3.30.103.117:5136      SYN_RECEIVED
  TCP    my server ip:80         3.32.2.30:4396         SYN_RECEIVED
  TCP    my server ip:80         3.34.88.85:3011        SYN_RECEIVED
  TCP    my server ip:80         3.39.169.208:62960     SYN_RECEIVED
  TCP    my server ip:80         3.40.89.99:6133        SYN_RECEIVED
  TCP    my server ip:80         3.41.95.168:61693      SYN_RECEIVED
  TCP    my server ip:80         3.41.119.55:62004      SYN_RECEIVED
  TCP    my server ip:80         3.43.133.165:492       SYN_RECEIVED
  TCP    my server ip:80         3.45.145.143:5016      SYN_RECEIVED
  TCP    my server ip:80         3.50.86.25:62938       SYN_RECEIVED
  TCP    my server ip:80         3.50.148.107:2019      SYN_RECEIVED
  TCP    my server ip:80         3.53.15.249:1273       SYN_RECEIVED
  TCP    my server ip:80         3.57.163.160:15699     SYN_RECEIVED
  TCP    my server ip:80         3.58.199.227:62187     SYN_RECEIVED
  TCP    my server ip:80         3.65.28.163:1109       SYN_RECEIVED
  TCP    my server ip:80         3.66.206.133:3178      SYN_RECEIVED
  TCP    my server ip:80         3.71.123.42:6593       SYN_RECEIVED
  TCP    my server ip:80         3.83.143.103:2207      SYN_RECEIVED
  TCP    my server ip:80         3.85.92.243:62066      SYN_RECEIVED




Till now hosting at rackspace, but for prevent the attack rackspace is
advice to take preventier which cost is 5000$ setup and 1000$ monthly fee to
prevent the ddos attack for one website of 250mb space.


Is there any other solution?

Thanks,

Manoj


_______________________________________________
ilugd mailinglist -- [EMAIL PROTECTED]
http://frodo.hserus.net/mailman/listinfo/ilugd
Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi 
http://www.mail-archive.com/[EMAIL PROTECTED]/

Reply via email to