Identify IPs from DB error reports. DDoS Attack.

[beer4life]

G'Day All,
I've spent quite some time searching for a prog to do this. Please let me know if one exists. I have extensive logs(50,000+) from the error reports listing the IPs but to do this manually seems prohibitive. If this is possible, should be possible to sort out the Zombies. I know the original perpetrator, just need to confirm the path that he uses. ICCC have been ticketed, but are reticent in giving their progress.
Kindest Regards, Bill.

[Marco van Herwaarden]

How do you want to identify DDOS IP's frm the errorlogs (mails?)?

You would b typically looking at your servers netstat reports to identify the attacking IP's in a DDOS situation.

[beer4life]

G'Day ,
Thanks for the rapid response, I have root access and can see the stats, also the mail queue, I have diverted the error reports rather than filling my inbox. I do have many thousands that I did let through, as well as the raw Apache logs. I would like to analyse these to isolate the Zombies and take action to report them. Sorry that's the best I can explain. I see other progs for bounced emails, surely this would only be an adaption of them.
Many Thanks and Kindest Regards, Bill.

Hi,
Just a small update,
I have 10,000+ in my inbox, 20,000 I deleted from the mail queue and Apache Log 330MBs zipped to 53MBs.
Kindest Regards, Bill.
The attack has been continuing for 8 days this time. Twice previously from the same source.

[Marco van Herwaarden]

If you have no knowledge on how to identify these IP's i strongly suggest you contact your host for support on this.

Depending on the kind of DDOS attack it would have to be mitigated at a very early stage on your server (ie. before it even reaches your webserver process, or whatever process is target of the attack) or even already need to be blocked on the outer-border routers at your hosts network.

PS Psting the exact error message you get from vB might also help in identifying the problem, although a typical DDOS attack can be done without ever even reaching vBulletin.

[beer4life]

Many thanks for your advice,
perhaps this typical error message may explain what I mean. It gives the IP of the one trying to access the site. It may or may not be genuine. However, if I can analyse the thousands, I can pick up those that are trying many times a minute. An automated process. I hope that you can see my point, Multiple access in short periods suggests a Zombie. If I can isolate recurring IPs, then I have them.
If necessary, I'm prepared to pay some one to do this for me.
Kindest Regards, Bill.
---------------------------------------------------------This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

dbmaster@example.com
retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@server.newfunfiles.org>
Received: from nobody by server.newfunfiles.org with local (Exim 4.63)
(envelope-from <nobody@server.newfunfiles.org>)
id 1HVey8-0004nC-4n
for dbmaster@example.com; Mon, 26 Mar 2007 02:30:00 +0000
To: dbmaster@example.com
Subject: vBulletin Database Error!
From: dbmaster@example.com
Message-Id: <E1HVey8-0004nC-4n@server.newfunfiles.org>
Date: Mon, 26 Mar 2007 02:30:00 +0000

Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: User newfunfi_newfunf has already more than 'max_user_connections' active connections
/home/newfunfi/public_html/includes/class_core.php on line 273

MySQL Error :
Error Number :
Date : Monday, March 26th 2007 @ 02:30:00 AM
Script : http://www.newfunfiles.org/memberlis...oindate&pp=250
Referrer :
IP Address : 217.149.242.107
Username :
Classname : vb_database
-------------------------------------------------------------------

[Marco van Herwaarden]

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: User newfunfi_newfunf has already more than 'max_user_connections' active connections
/home/newfunfi/public_html/includes/class_core.php on line 273

Depending on how busy your site is, this could be a regular error not related to an attack.

Request your host to increase the MySQL 'max_user_connections' setting. Also what is this currently set to?

[beer4life]

Seems my reply went astray due to maintenance.

G'Day,
The site is closed from Admin CP , so only a few, can access the site. Even when I'm the only one , there is a high server load. Perhaps we have strayed away from the original question? How do I sort out these miscreant Zombies from the few legitimate users trying to access. To put it another way , at most I show 500/Hr users attempting to access but generate upwards of 4000 error messages per Hr. Each of which has their IP in the error message.
I hope that this clarifies my dilemma.
Kindest Regards , Bill.

[Marco van Herwaarden]

4000/500 = 8 errors per user/hour, does not sound a lot if you have an error that gets hit often.

But to answer the original question, no i don't know how to filter mallicious users out of that list.

[Ranma2k]

ًwell i faced alot of DDOS before on my site
and since i only have 1 site on the server it started blocking the ip with the following command
you need to have root access :

first i get the ips using the command

netstat -an | grep :80 | awk '{print $5}' | cut -d ':' -f1 | sort | uniq -c | sort -nr


it will give a lit of the IP's with the number of connections that ip oppned the list will be like this


<Con. count> < ip >
421 254.243.21.36



What i do next is to get all the ip's that have a connection over 100 and block them
( sometime even above 50 )

then after a day or 2 i remove the block ..
worked with me and the site still standing


btw there is a script that can do this for you
you can find it there
http://blog.medialayer.com/projects-ddos-deflate/

hope that helps

[beer4life]

Very Many thanks, "Ranma2k",
At least you live in the real world and have suffered as I have.
I will certainly chase up your advice.
Ed Skoudis also offers some interesting reading , "Counter Hack".
Just an interesting aside, I've been able to stay alive, but not operational by using a crude , but effective ploy, diverting the error reports as well as a hardware firewall. Two previous sites I opened went down in one or two days. Am now into day 8. Must be annoying the living bejabbers out of the perpetrator. I know exactly who it is.
Kindest Regards, Bill.