Hello, is there a mod to help with DDoS attacks?

My host has firewalls installed but yet I am still getting hit with a DDoS attack and he is doing something with a whole bunch of ip's just from his computer..

They are using sitename.com/forum.php?t=15168 or sitename/showthread.php?t=15168

I forget which but it was one of the two..

So what are some possible things i can do?

THANKS
Nick

I don't think you can do anything except wait it out. We got hit last September - it started abruptly Thursday afternoon and ended just as abruptly Tuesday morning. I was frazzled the whole time, but they finally just left.

The only thing we did is my server guy installed a script that banned IPs if they were hitting the server too much in a short period of time. All this really did is make it so my users could finally get onto the site, but the site was working very, very slowly.

Well its been happening a long time... i know who it is but he is a server administrator and has like 2 offshore proxys filtering all his activity so i can't report him to his ISP..

I have had like 20 differants hosts in the past week and the one i have now is the best one.. but do you know which script he installed?

If you have ssh access to the server as a su user, you should drop the ips that he is using iptables

If your host has ddos protection in place, then they arent doing a very good job of it, they should be ip banning at the router.

He has some type of botnet, and we have banned a lot of ips already

Well its been happening a long time... i know who it is but he is a server administrator and has like 2 offshore proxys filtering all his activity so i can't report him to his ISP..

I have had like 20 differants hosts in the past week and the one i have now is the best one.. but do you know which script he installed?
It was a script he wrote himself. All it did was grab the IPs and throw them into a file which was then read by the iptables (or something like that). And it was run as a cron job every ten minutes. So, really, all it did was grab the IPs of the users that were pounding the server *at that time* and ban them. It did not fix things on the site in anyway. As I said, it just allowed us to get on if we were really, really patient (but some of my users needed to get on to get access to information).

Ok, if anyone knows of anything please post :D

--------------- Added 1205164688 at 1205164688 ---------------

This is what im getting in emails:

Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Too many connections
/home/public_html/includes/class_core.php on line 316

MySQL Error :
Error Number :
Date : Monday, March 10th 2008 @ 12:49:12 AM
Script : http://sitename.com/showthread.php?t=28528
Referrer :
IP Address : 90.154.171.27
Username :
Classname : vB_Database
MySQL Version :

Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Too many connections
/home/public_html/includes/class_core.php on line 316

MySQL Error :
Error Number :
Date : Monday, March 10th 2008 @ 12:49:13 AM
Script : http://sitename.com/showthread.php?t=28528
Referrer :
IP Address : 86.135.161.112
Username :
Classname : vB_Database
MySQL Version :

Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Too many connections
/home/public_html/includes/class_core.php on line 316

MySQL Error :
Error Number :
Date : Monday, March 10th 2008 @ 02:19:36 AM
Script : http://sitename.com/showthread.php?t=28528
Referrer :
IP Address : 213.165.56.190
Username :
Classname : vB_Database
MySQL Version :

Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Too many connections
/home/public_html/includes/class_core.php on line 316

MySQL Error :
Error Number :
Date : Monday, March 10th 2008 @ 12:48:58 AM
Script : http://sitename.com/showthread.php?t=28528
Referrer :
IP Address : 88.242.211.141
Username :
Classname : vB_Database
MySQL Version :

I have had up to 22,000 of these at a time..

I would suggest turning off sending the error emails because they are just going to be causing more problems for your poor server. (I'm just suggesting turning it off for now. You *know* there are site problems and don't need all the emails telling you so right now.)

Eh, i can't login to do so

a way to do it from config.php?

Remove the tech email address from the config.php file.

To many connections to the db dont mean there is a ddos attack happening, what is the max_connection set at in the my.cnf file and how many users are onlin in the forum on avg?

Not many right now, i bought a new domain and only a few members at a time.. it has to be a ddos attack seeing as it is all coming from the same topic each time.. not that many people is going to go to that topic at a time, and where is the my.cnf file at?

EDIT: I found a temporary cure.. lol i redirected the url /showthread.php?t=28528 to google.com

site is loading fine now :D

EDIT2: down again

EDIT3: working smooth now just slow at a few times, i been blocking loads of ips in cpanel, everyone who has been viewing the above link

EDIT4: ehhh that makes it so you cant view any topics...

STILL LOOKING FOR SOME HELP,THANKS

What makes it so you cant view any topics?

Is cpanel adding these ip's to iptables?

my.cnf should be here /etc/my.cnf

if not, type this from a ssh prompt: find / -name my.cnf -print or locate my.cnf

I can't view any topics because i redirected /showthread.php?t=28528 to google.com but it only accepted showthread.php so all topics wont show it goes to google.com

THe only thing in /etc is passwd, quota, and shadow

And no i been banning the ips manually in cpanel

DDOs Protection needs to be handled at the server level, and not at vBulletin level, Over in the Security section at WHT (http://www.webhostingtalk.com/forumdisplay.php?f=73) they have tons of articles that could help you.

Have you tried installing a firewall such as APF
some things such as mod_evasive may help as well: http://www.hostgeekz.com/guides/Security/59/Install_mod_evasive.htm
and secure your sysctl.conf file: http://www.hostgeekz.com/guides/cPanel/42/Sysctl.conf%20hardening.htm

I just purchased a VPS so if theres any scripts you know i can install please let me know

You can use iptables as i stated earlier to ban IP's at the network level, there is no need to install any scripts.

Did you do a find or locate like i said for my.cnf, that way you can increase the max_connections setting for mysql?

No, i couldnt find the file anywhere..

There is 1 little trick that will stop botnets etc., i use it often on one of my sites when someone goes crazy again and tries the same as described above. Just setup a .htaccess password protection for your forum directory. You can use simple username/password and even mention the user/pass in the login prompt. This will stop botnets for sure in a very cost effective (in terms of resources) way.

Once the attack is over, remove the login again.

There is 1 little trick that will stop botnets etc., i use it often on one of my sites when someone goes crazy again and tries the same as described above. Just setup a .htaccess password protection for your forum directory. You can use simple username/password and even mention the user/pass in the login prompt. This will stop botnets for sure in a very cost effective (in terms of resources) way.

Once the attack is over, remove the login again.

Ok I will try that, Thanks Marco van Herwaarden!

thats what my .hatccess file looks like when some one try to ddos my site

this
RewriteEngine On
RewriteCond %{HTTP_HOST} !^danger-z0ne.net$ [NC]
RewriteCond %{REMOTE_ADDR} ^(.*)$ [NC]
RewriteRule ^(.*)$ http://%1 [R=301,L]

this in this site will stop any dosing program b/c all dosing program don't have reffer on ips
so it will get block auto lol but the bad part of this script is that it also block dial up users lol

other then that rest of the scripts in the quote blow is v gud u can bann the ips blow if u want or change them

just make a .htaccess file in ur root directory and copy n paste and edit the your-site.com to your site


hope this helps enjoy also there is a mod in here that stop the single use form loading ur site too many times in 60 seconds or so i will look up the mod name n post it here





RewriteEngine On
RewriteCond %{HTTP_HOST} !^YOUR-SITE.COM$ [NC]
RewriteCond %{REMOTE_ADDR} ^(.*)$ [NC]
RewriteRule ^(.*)$ http://%1 [R=301,L]

#get rid of bad bots
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^BadBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^EvilScraper [OR]
RewriteCond %{HTTP_USER_AGENT} ^FakeUser
RewriteRule ^(.*)$ http://google.com/

order allow,deny
deny from 68.124.166.191
deny from 68.124.166
deny from 68.125.86.230
deny from 68.125.86
deny from 68.121.22.219
deny from 68.121.22.
deny from 68.121
deny from 24.171.42.17
deny from 24.171
deny from 207.215
deny from 68.124.60
deny from 68.124
deny from 68.246.38.38
deny from 118.136.39.239
deny from 118.136
deny from 68.246
deny from 91.96.66.199
deny from 125.60.235.194
deny from 190.136.126.86
deny from 69.152.235.51
deny from 124.104.180.82
deny from 77.192.77.37
deny from 58.165.6.73
deny from 82.116.149.210
deny from 82.116
deny from 124.106.58.33
deny from 124.106.58
deny from 89.165.61.171
deny from 89.165.61
deny from 81.22.83.245
deny from 195.229.236.215
deny from 118.137.42.251
deny from 83.70.228.90
deny from 86.142.134.73
deny from 65.95.13.105
deny from 74.97.197.180
deny from 91.96.66.199
deny from 125.60.235.194
deny from 64.253.12.205
deny from 190.136.126.86
deny from 213.42.21.153
deny from 124.104.180.82
deny from 77.192.77.37
deny from 58.165.6.73
deny from 82.163.190.172
deny from 207.134.102.142
deny from 74.113.37.178
deny from 99.227.251.79
deny from 82.2.166.185
deny from 69.121.40.142
deny from 71.106.219.75
deny from 83.160.180.211
deny from 71.106.78.77
deny from 71.118.253.15
deny from 202.83.212.243
deny from 82.163.139.144
deny from 194.66.249.18
deny from 78.143.196.114
deny from 68.114.4.0
deny from 216.162.6.228
deny from 172.188.149.212
deny from 41.221.17.223
deny from 71.182.15.239
deny from 216.162.6.228
deny from 84.103.1.208
deny from 86.153.34.228
deny from 124.171.92.14
deny from 69.214.1.18
deny from 72.91.75.158
deny from 209.162.51.19
deny from 66.249.72.52
deny from 211.208.193.102
deny from 24.26.44.148
deny from 66.249.72.52
deny from 202.177.227.98
deny from 86.51.3.211
deny from 86.51.3.195
deny from 86.51.3.210
deny from 86.133.151.43
deny from 86.133.151.43
deny from 124.255.156.140
deny from 121.246.221.22
deny from 87.120.150.240
deny from 66.249.72.226
deny from 83.54.62.218
deny from 41.221.134.204
deny from 124.171.92.14
deny from 78.0.121.39
deny from 99.229
deny from 99.229.134.45
deny from 202.133.73.171
deny from 202.133.73
deny from 90.195.157.165
deny from 90.195
deny from 90.193.236.240
deny from 90.193
allow from all

order allow,deny
deny from 5ac1ecf0.bb.sky.com
deny from 5ac39da5.bb.sky.com
deny from bb.sky.com
deny from 239.39.136.118.fast.net.id
allow from all

i tried to do this for my site

but i got a new homage of some security showing my ip and asking for login and pw...is this what its suppose to do

RewriteEngine On
RewriteCond %{HTTP_HOST} !^placed my domain here$ [NC]
RewriteCond %{REMOTE_ADDR} ^(.*)$ [NC]
RewriteRule ^(.*)$ http://%1 [R=301,L]

Erm Purchase The One On My Site Also On GZN

It Work Well Now