Issue Socket() Erros while under DoS

[MaxChri]

Hey guys,

while my site was under DoS, I got multiple erros within the proxy_error_log file in the domains logs directory.

upstream timed out (110: Connection timed out) while reading response header from upstream
connect() failed (110: Connection timed out) while connecting to upstream
upstream timed out (110: Connection timed out) while SSL handshaking to upstream

socket() failed (24: Too many open files) while connecting to upstream

When I entered the website, I got "500 internal server error - nginx".

- There where no error logs on nginx or apache that the max connections are reached. (var/log/apache2 & var/log/nginx)
- Websites are running via cloudflare (cloudflare ips are whitelisted in fail2ban)
- The attack was very weak (150pps in plesk monitoring) but websites where down after that. No resources in plesk monitoring reached it's limit.
- Plesk is running on a vps with default php settings.

Do you have any suggestions how to fix these timeout errors? And why are the websites down that fast?

 

[mow]

- There where no error logs on nginx or apache that the max connections are reached. (var/log/apache2 & var/log/nginx)

Did you also look into the domain logs at /var/www/vhosts/system/<domain>/logs?

Do you have any suggestions how to fix these timeout errors? And why are the websites down that fast?

Keep in mind that you are sharing resources with other vps on the same physical server. Depending on your plan, you might experience throttling sooner or later when using e.g. too much I/O bandwidth.

 

[MaxChri]

Hey @mow yeah I checked the domain logs, there has been a lot of entries like get requests at this time.

Do you know a good tool how to throttle I/O bandwidth?


I know it's not a huge attack but it seems like there are a lot incoming packet floods.

 

[Bitpalast]

The best thing to do is to put a DoS-protection in front of your server, because once a flood reaches your network interface, it's normally too late to do something about it. It will simply eat up all your bandwith, making your system inaccessible through the network. So what you'll really need is a router in front of your system that is capable of recognizing and filtering all typical DoS attacks.

In addition to that protection you can limit the bandwith on your network interface by applying some iptables rules. However, there is not standard recipe for this, because your options are manifold and should match your specific needs. I suggest to search Google for "iptables limit" or "iptables limit burst" or similar keywords and to delve into some articles that describe how you can use iptables to protect your server against too much useless traffic.

 

[mow]

Do you know a good tool how to throttle I/O bandwidth?

Not anything that would help you as user on a vps.
As the ethernet device is shared, the hypervisor has to take the packets and distribute them to the virtual hosts. So any useful rate-limiting would have to be done in the hypervisor, which can only be configured by the provider.