Disect a web attack

[Amin Taheri]

Lets say that my web server (one of them, mutliple, w/e doesnt matter) is being "attacked", and as a result the CPU of the box is hitting 100% and staying there, or perhaps the attack is causing a seg fault in apache and crashing the instance.

What is a way to determine who is the "target" of the attack with out actually sorting through packet captures.

Does using piped logs in plesk assist or hinder finding the offending domain?

ApacheTop has been mentioned, but since each domain uses its own log file it doesnt help much unless we know the domain under attack.

Any usefull thoughts or suggestions on this problem? (yes I know buying ASL can assist) I am looking for something free and open source preferably, but pay for solutions are not ruled out if they perform and are low cost with no recurring licensing.

 

[philjohn]

IIRC, you can use wildcards when specifying the logfile for apachetop to use, e.g.

atop /var/www/vhosts/*/statistics/logs/access_log

 

[Amin Taheri]

I am using apachetop-0.12.6 and it doesnt seem to work using the wildcard.

using command

/root/apachetop-0.12.6/src/apachetop -f /var/www/vhosts/*/statistics/logs/access_log

Am I using the wrong version?

 

[atomicturtle]

Check out snort, www.snort.org. This has signatures for detecting denial of service, and other protocol level DoS attacks against apache.

There are also rules built into ASL to do it, directly through mod_security.

 

[Amin Taheri]

Snort is used to avoid an attack, and ASL is a commercial product and dont really cover my question completely - but I do appreciate the response, thank you.

What can you do when the attack is occuring and has passed through your firewalls and security rules? For example some one is hitting a script on the server that is coded poorly and causing the memory or process to spike/crash?

How can you figure that out since it doesnt really "breach any rules" per se

 

[Linulex]

i have no idea how to find the domain of an ongoing attack, but we use some programmes to help prevent them from happening and when they do happen, they dont bring down the whole server.

- test the websites with nessus http://www.nessus.org/nessus/ this wont solve all the problems, but one less is one less. You can even make money with it if you sell the service as a monthly security checkup or something like that.

- be VERY rigid when disabling php safe mode.

- mod_security is your friend

- we use modcband http://cband.linux.pl/ to prevent a site under attack bringing down a complete server. when a server gets slower its easy to look up in the apache server status page then who gets the most connections.

hope this helps a bit
Jan

 

[Amin Taheri]

Nessus is nice to test the overall server, but you cant use it to test every vhost on your server daily with each subdomain and sub folder, that would be unrealistic.

mod_sec is nice, but the default rule set from breach is bloated and inefficient, and blocks a lot of legitimate traffic from joomla, phpbb, and most other applications out there. Having to fine tune each rule for each intended application is also some what unrealistic as that is incredibly time consuming. With that said its important to note that I do use it, but am not happy about it.

if I read modcband correctly it is only limiting to the number of connections and bandwidth used per vhost (primarily) - that is nice, but doesnt really do anything that we need as we have intelligent inline devices and firewalls that prevent against dos/ddos/floods - our problem is preventing stupid users and bad coders from having their scripts hit withing an allowable threshold which due to that code mistake crashes apache or raises cpu/memory to a non allowable rate and having the ability to easily track down who the user/domain is.

I appreciate your time and feedback as well as your input, but I dont see how it helps me in this particular scenario.