Это DDoS?

Discussion in 'AntiDDos - АнтиДДОС' started by fire64, 3 Jan 2013.

  1. fire64

    fire64 Elder - Старейшина

    Joined:
    1 Apr 2008
    Messages:
    251
    Likes Received:
    22
    Reputations:
    5
    Сайт стал сильно лагать, в логах acces много схожих странных запросов:

    PHP:
    89.114.95.40 - - [03/Jan/2013:07:05:01 +0000"-" 408 0 "-" "-"
    92.126.7.214 - - [03/Jan/2013:07:05:01 +0000"-" 408 0 "-" "-"
    77.122.76.95 - - [03/Jan/2013:07:05:01 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:01 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:02 +0000"-" 408 0 "-" "-"
    109.174.15.140 - - [03/Jan/2013:07:05:02 +0000"-" 408 0 "-" "-"
    193.106.63.228 - - [03/Jan/2013:07:05:02 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:02 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:03 +0000"-" 408 0 "-" "-"
    178.215.66.242 - - [03/Jan/2013:07:05:03 +0000"-" 408 0 "-" "-"
    46.158.144.86 - - [03/Jan/2013:07:05:03 +0000"-" 408 0 "-" "-"
    37.8.157.87 - - [03/Jan/2013:07:05:03 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    109.174.15.140 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    193.106.63.228 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    93.77.111.253 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    128.72.46.137 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    37.8.157.87 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    94.190.119.140 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:04 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:05 +0000"-" 408 0 "-" "-"
    77.122.76.95 - - [03/Jan/2013:07:05:05 +0000"-" 408 0 "-" "-"
    178.46.84.125 - - [03/Jan/2013:07:05:05 +0000"-" 408 0 "-" "-"
    109.206.41.90 - - [03/Jan/2013:07:05:05 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:05 +0000"-" 408 0 "-" "-"
    94.190.119.140 - - [03/Jan/2013:07:05:06 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:06 +0000"-" 408 0 "-" "-"
    178.215.66.242 - - [03/Jan/2013:07:05:06 +0000"-" 408 0 "-" "-"
    92.126.7.214 - - [03/Jan/2013:07:05:06 +0000"-" 408 0 "-" "-"
    193.106.63.228 - - [03/Jan/2013:07:05:06 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:06 +0000"-" 408 0 "-" "-"
    37.8.157.87 - - [03/Jan/2013:07:05:07 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:07 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:07 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:08 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:08 +0000"-" 408 0 "-" "-"
    93.77.111.253 - - [03/Jan/2013:07:05:08 +0000"-" 408 0 "-" "-"
    109.206.41.90 - - [03/Jan/2013:07:05:08 +0000"-" 408 0 "-" "-"
    193.106.63.228 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    109.206.41.90 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    188.123.239.200 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    178.46.84.125 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    77.122.76.95 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    46.158.144.86 - - [03/Jan/2013:07:05:09 +0000"-" 408 0 "-" "-"
    94.190.119.140 - - [03/Jan/2013:07:05:10 +0000"-" 408 0 "-" "-"
    89.114.95.40 - - [03/Jan/2013:07:05:10 +0000"-" 408 0 "-" "-"
    193.106.63.228 - - [03/Jan/2013:07:05:10 +0000"-" 408 0 "-" "-"
    Подскажите, как можно защититься от этого?

    В прошлый раз атака была с одного диапазона IP и я его заблочил через iptables, а вот, что с этим делать, я хз.
     
    #1 fire64, 3 Jan 2013
  2. 0x61

    0x61 Banned

    Joined:
    13 Aug 2011
    Messages:
    1
    Likes Received:
    19
    Reputations:
    35
    iptables+ipset
    evasive_module
    qos_module

    а также дериктивы контроля доступа Limit и LimitExcept и ядро настроить в зависимости от конфигурации сервера.
    Вроде этого:
    Code:
    sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv4.conf.all.secure_redirects=0
sysctl net.ipv4.conf.all.send_redirects=0
sysctl net.ipv4.tcp_max_orphans=65536
sysctl net.ipv4.tcp_fin_timeout=10
sysctl net.ipv4.tcp_keepalive_time=1800
sysctl net.ipv4.tcp_keepalive_intvl=15
sysctl net.ipv4.tcp_keepalive_probes=5
sysctl net.ipv4.tcp_max_syn_backlog=4096
sysctl net.ipv4.tcp_synack_retries=1
sysctl net.ipv4.tcp_mem=50576   64768   98152
sysctl net.ipv4.tcp_rmem=4096 87380 16777216
sysctl net.ipv4.tcp_wmem=4096 65536 16777216
sysctl net.ipv4.tcp_orphan_retries=0
sysctl net.ipv4.tcp_syncookies=0
sysctl net.ipv4.sysctl netfilter.ip_conntrack_max=1048576
sysctl net.ipv4.tcp_timestamps=1
sysctl net.ipv4.tcp_sack=1
sysctl net.ipv4.tcp_congestion_control=htcp
sysctl net.ipv4.tcp_no_metrics_save=1
sysctl net.ipv4.route.flush=1
sysctl net.ipv4.conf.all.rp_filter=1
sysctl net.ipv4.conf.lo.rp_filter=1
sysctl net.ipv4.conf.eth0.rp_filter=1
sysctl net.ipv4.conf.default.rp_filter=1
sysctl net.ipv4.conf.all.accept_source_route=0
sysctl net.ipv4.conf.lo.accept_source_route=0
sysctl net.ipv4.conf.eth0.accept_source_route=0
sysctl net.ipv4.conf.default.accept_source_route=0
sysctl net.ipv4.ip_local_port_range=1024 65535
sysctl net.ipv4.tcp_tw_reuse=1
sysctl net.ipv4.tcp_window_scaling=1
sysctl net.ipv4.tcp_rfc1337=1
sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl net.ipv4.icmp_echo_ignore_all=1
sysctl net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl net.core.somaxconn=15000
sysctl net.core.sysctl netdev_max_backlog=1000
sysctl net.core.rmem_default=65536
sysctl net.core.wmem_default=65536
sysctl net.core.rmem_max=16777216
sysctl net.core.wmem_max=16777216
     
    #2 0x61, 4 Jan 2013
    Last edited: 4 Jan 2013
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.