Matt Sonnentag
Basic Pleskian
One of my servers is currently under a DDOS attack. Basically we have 1000's of syn_recv packets queued for apache on port 80. We are looking for ways to mitigate this attack, so if anyone has some experience or some suggestions that would be great. The attack has been ongoing for approximately 24 hours.
Here is what we know:
Most of the attacking IPs are spoofed.
The "bot", I believe is illusion.
We know the user-agent signatures, they appear over an over from varying IPs
We have tried to block with BrowserMatch - no joy for some reason not catching it
We have tried mod_security - again no joy
mod_evasive sucks
Some joy with flood mon and blocking the various IPs with iptables
(so far we are up to about 4000 Class C's blocked)
With floodmon blocking we run about 1000-1800 queued syn-recv's from about 500 different Ips
We host at the planet and they moved us behind Cisco guard, does not seem to have even affected it.
Yes, tcp_syn cookies is on. This is not doing much good.
Any help would be appreciated!!!!!!
Here is what we know:
Most of the attacking IPs are spoofed.
The "bot", I believe is illusion.
We know the user-agent signatures, they appear over an over from varying IPs
We have tried to block with BrowserMatch - no joy for some reason not catching it
We have tried mod_security - again no joy
mod_evasive sucks
Some joy with flood mon and blocking the various IPs with iptables
(so far we are up to about 4000 Class C's blocked)
With floodmon blocking we run about 1000-1800 queued syn-recv's from about 500 different Ips
We host at the planet and they moved us behind Cisco guard, does not seem to have even affected it.
Yes, tcp_syn cookies is on. This is not doing much good.
Any help would be appreciated!!!!!!