Flood Help me guys

Alles, was den Apache betrifft, kann hier besprochen werden.

Flood Help me guys

Postby Bcostin » 04. December 2011 01:45

Helo Xamp Friends , i have a problem with this guy (pro apache guy) or not i dont know but he know to do some things , i have a Mu Server that is connectet with a SQL 2000 , and a Website ,

the all 3 parts is verry important i use windows2003 , so this is a picture of how my comp is now

Image



The point of this guy is to make lag on my server drop my website (succseed) and hoply d/c my users

Because he hits the page with many ips , (i dont know how you can se my log ) i use sygate firewall secury you can see there the amout of data incoming , wit Apache geting so loadet my CPU is 99% and of corse i have lag on my server


Please help me
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Bcostin » 05. December 2011 11:25

so i have this firend ho advice me to instal this script in my index.php from htdocs , that will alow me to kick this pings floods

like this is the script

Code: Select all


<?php
if (!isset($_SESSION)) {
session_start();
}
// anti flood protection
if($_SESSION['last_session_request'] > time() - 2){
// users will be redirected to this page if it makes requests faster than 2 seconds
header("location: /flood.html");
exit;
}
$_SESSION['last_session_request'] = time();
?>


thx and use it well
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Altrea » 05. December 2011 11:38

You don't kick anything, you just redirect some requests.
A solution would be to use a good and well configurated hardware firewall and block unwanted requests.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 6610
Joined: 17. August 2009 13:05
XAMPP Version: 5.5.19
Operating System: W7Ux64

Re: Flood Help me guys

Postby Bcostin » 05. December 2011 11:42

how can you block trafick that look just like a normal user but is coming from more ip`s , see py picts there to see the request they do and is just a progam
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Altrea » 05. December 2011 12:39

What will be the consequent of your redirect:
Only 1 request every 2 seconds will get to your valid page. This request can be a real user, a crawler bot or a flood bot. It's fully random.

You can try to find out all single IPs and block them.
or you try to find out IP regions. Many of your requests came from Russia or China. Block them.
Or try to identify the flood bots with meta data (user agent for example).

last but not least, administration of a webserver is nothing for everybody.
In most cases Webhosting packages makes much more sense then to administrate an server by itself. The Webhosting companies takes care for all the security things and much more for just a few bucks.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 6610
Joined: 17. August 2009 13:05
XAMPP Version: 5.5.19
Operating System: W7Ux64

Re: Flood Help me guys

Postby Bcostin » 05. December 2011 16:49

good i will be ready to take this to the next lvl and buy a hosting service , but wat about the page connect with SQL , and take my data from my comp i will have to open py SQL service and make my database vulnerable
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Bcostin » 09. December 2011 07:58

Depending on what type of traffic and also what type of attack it is you may need to reconfigure a number of system variables to prepare the system for extra load as it processes which connection is technically " fake ".

There are a number of tools -

Check to see if it is an attack - :: netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Apache -

Mod_evasive
httpd.conf - reconfiguration ( timeout, keepalive, server spawn )

Connection Monitoring -

netstat -

- Run these commands to seek all connections on port 80, with type SYN.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

install bwm-ng ( bandwidth monitor )

sysctl.conf - hardening/reconfiguration. Helps the box handle extra load as connections are being processed.

Enable syncookies as well via echo 1 > /proc/sys/net/ipv4/tcp_syncookies




So this is the best i found to use this Mod_evasive like install it in the apache and httpd.conf , i have seen more info but i dont know here and how to put the commands if i press run cmd , the commands will not activate
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Bcostin » 12. December 2011 05:51

wat about that mod_evasive22.so a dll file for windows ,
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Altrea » 12. December 2011 05:57

I don't know mod_evasive much, but i think that module will not help you.

The module uses Hash-Tables filled with the request IPs and block all IPs in a blacklist that produce X requests in X seconds.
In your case you have multiple IP Addresses, so the Black list will not fit.

But it's your server, do what you want to.
Nothing more to say.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 6610
Joined: 17. August 2009 13:05
XAMPP Version: 5.5.19
Operating System: W7Ux64

Re: Flood Help me guys

Postby Bcostin » 12. December 2011 06:31

is a Mu server with SQL and xampp webpage , the webpage is verry important , because of the registration to the MuServer , and webshop , they flood this

I have found several things to update here for my firends that help`t me a little bit


Fist is KiwiFirewall2011 , is realy nice but i cant make it work only on port 80 , seems that he can see the TCP trafic only wen is set on "Any" if you have a server that is bad , because can see the trafic from the other ports but you can get use to release IP

Wat i so good about this tipical Firewall is his low use of Mem , and CPU wen he blocks the ip , if Sygate firewall will stay up to 30% CPU load and use altmost 500 MB/ram , this little guy use only 23MB/ram and almost 2 CPU if is realy havy load it

I have put some several this down with my list of BANNED ip so if you need to delete them use the Data file and edit the Banlist with a text editor

Image

My kiwifirewall has got until now 361 ips , in the moment i have no flood on my server but i cant get not eve 50% shure that the guy turn it off , so i will still ghather info for Windows how to protect my apache

So here it is wat i have found and wat i want to test wen and if that guy with Ddos atack will return

Code: Select all
http://www.apachelounge.com/viewtopic.php?t=917&postdays=0&postorder=asc&start=20


I have found more info about mod_evasive Ddos protection but most of it is for Linux , but then this poops up from the user prophet.six


Using the compiled module from tdonovan in this post, I was able to setup mod_dosevasive22 on my new installation of Apache 2.2.19 runing on an XP box and it works without any problems.

This seems like a decent tool for brute force password protection but not so much for DoS attacks, unless the 403 response is less burdensome on the server which it very well may be.

New user and first time poster here, I'm happy to have found this site as it is a treasure trove of information. Good work.



The original topic of tomovan is this

I try to compile the mod to work on apache 2.2 win32

just change code a little ,disable some functions and it seem works (I guess)

Code: Select all
http://www.zdziarski.com/projects/mod_evasive/ original


*thing I disable
- Email Notify
- No Dos Evasive Log (but write in apache error log)
- maybe something I not disable but it might notwork in win32

*I compile on windows xp ,vc++ 8 , apache 2.2.3 (but set environment to windows 2003 sp1)

please if someone can change and make it work perfect on windows,or just compile in better condition.


CONFIGURATION

mod_evasive has default options configured, but you may also add the
following block to your httpd.conf:

LoadModule dosevasive22_module modules/mod_dosevasive22.dll

<IfModule dosevasive22_module>

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

</IfModule>


DOSHashTableSize
----------------

The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_evasive.c for a list
of primes used).

DOSPageCount
------------

This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.

DOSSiteCount
------------

This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.

DOSPageInterval
---------------

The interval for the page count threshhold; defaults to 1 second intervals.

DOSSiteInterval
---------------

The interval for the site count threshhold; defaults to 1 second intervals.

DOSBlockingPeriod
-----------------

The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.


WHITELISTING IP ADDRESSES

IP addresses of trusted clients can be whitelisted to insure they are never
denied. The purpose of whitelisting is to protect software, scripts, local
searchbots, or other automated tools from being denied for requesting large
amounts of data from the server. Whitelisting should *not* be used to add
customer lists or anything of the sort, as this will open the server to abuse.
This module is very difficult to trigger without performing some type of
malicious attack, and for that reason it is more appropriate to allow the
module to decide on its own whether or not an individual customer should be
blocked.

To whitelist an address (or range) add an entry to the Apache configuration
in the following fashion:

DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*

Wildcards can be used on up to the last 3 octets if necessary. Multiple
DOSWhitelist commands may be used in the configuration.


With this lead i end up here Wich is for Mu Servers most of it and works on Windows and this guys write
Code: Select all
http://forum.ragezone.com/f196/stop-http-dos-attack-589484/


his is a simple external module, originally coded for linux apache 2.2, which is compiled for windows (apache 2.2) and help stop DOS attack with webserver.

Steps:

1. Download the attached file and extract it inside your webserver module folder. (xampp\apache\modules)
2. Load the module with the following code, add in httpd.conf:

Code: Select all
LoadModule dosevasive22_module modules/mod_dosevasive22.dll

<IfModule dosevasive22_module>
DOSPageCount 2
DOSPageInterval 1
DOSBlockingPeriod 10
DOSSiteCount 50
DOSSiteInterval 1
</IfModule>

* This setting means a 2x connection (same page) or 50x connection (whole website) in 1 sec will be temporarily blocked for 10 sec. and your webserver will return forbidden error to the attacker.

3. Restart your webserver.

* You can see the possible attacks in the error.log. (xampp\apache\logs\)



So where is this file this mod_evasive , well i will end your serch here because i waste 7 days to get all this stuff

  1. Click here for Mod_evasive22.dLL for Windows TEST MODE (Untested)
    Code: Select all
    http://www.box.com/s/jk4no2zfkpkrmbr323tr

  2. The Mod_Evasive1.0 for linux
    Code: Select all
    http://www.box.com/s/y2zqdthprdnksf1ctmtp

  3. KiwiDdoS Guard for Windows Server 2003 / 2008 ONLY
    Code: Select all
    http://www.box.com/s/qbzeyut0n3l73ebjg98p


There are more of scripst and php filename that work togheder to stop the Dddos atack but that i did not get it iet and how , i have seen many tehniques read alot and i think this topic can be updated and upgrated with nice info
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003

Re: Flood Help me guys

Postby Bcostin » 15. December 2011 00:34

after more days and work seems to work preaty good the box


i have a php too tha can bloock ddos , and i will study DDos more and inflict some DDos atack on my web to see if the protection holds
Bcostin
 
Posts: 8
Joined: 03. December 2011 00:12
XAMPP Version: 5.6.3
Operating System: Windows server 2003


Return to Apache

Who is online

Users browsing this forum: No registered users and 9 guests