The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
DDoS causing Server to Crash, Asking for Mod
Hello,
My site has been under heavy DDoS attacks for the past month!, it seems like they are using vBulletin against the server since the index page has many queries, and running the index page for say 500 times/second would send thousands of queries to the Mysql server causing it to crash over and over again. Since vb.org is the official site for vbulletin modifications, I was thinking of an easy solution that I couldnt make, I'm a beginner PHP programmer but havnt got into vb mods programming yet. The idea was to create a modification that applys to all the templates, simply checking for a session variable ( $_SESSION['human'] ) , cookies or both. if they exist than its a real user, otherwise its a bot or a just a visitor. If its a visitor than the mod would show a little form with one submit button ( Click me to enter ). the form would assign the ( human ) session variable and show the previously requested URL. This would prevent requesting all the queries on the index page (or any other page) and replace it with a harmful, light and query-less page when detecting a non-human or a user without cookies. See the PHP code below to better understanding of the idea: PHP Code:
I hope you guys got the idea, and hope one of you is gonna be able to do it in the next 2 or 3 days. I'm really in need for it, its just that I'm too busy upgrading to a dedicated server to learn the vBulletin coding HowTo's now! BTW, sorry for the bad english, after all its a second language to me! Thanks |
#2
|
||||
|
||||
I saw a suggestion that you simply add an htaccess file to the forum directory with password protection when you are under a dos attack. You can put the username and password right on the form but since bots don't read them, they won't get in, but since your users can read, they just enter the information once and are in.
|
#3
|
|||
|
|||
Lynne,
I already tried that, there seem to be only one problem with this solution, about 95% of my visitors Arabians and htaccess files will show any arabic text as a rubbish. I thought of this solution coz the ppl who are attacking my forum are using it ! I just understood the mechanism of it. and it seem to be working for them! BTW, using this way a webmaster could even allow search spiders to surf the site by checking its browser or somethin that could tell them apart from other kinds of bots. Thanks |
#4
|
|||
|
|||
Hi,
There seems to be another problem with your suggestion Lynne, which is that some DDoS softwares now have the ability to bypass htaccess firewalls by simply going to the site, getting the username and password shown in the msg, and then entering them in the software itself and that would make the proxies able to enter that username and password when requesting the site! . I guess this way is gone with the old days now, anyways , I've managed to create that firewall myelf, I'll be posting it here soon |
#5
|
||||
|
||||
Is suppose you could be right (I really don't know). I have not solved our dos problems by doing that. We used a script that filled up our iptables with all ips that were pounding our server. It was still a painful four days, but you could get on the site.
I hate people who have too much time on their hands and think it would be fun to dos a site! |
#6
|
|||
|
|||
I have tried these things but the only thing that seems to work is to have a strong IPtables setup, otherwise the DDoS will just continue. Also make sure that it is not one of the vBulletin mods you have installed is being DDoS'ed as it is easy to do so.
I had a shoutbox installed which was easy to DDoS and that is how my forums got DDoS'ed with only the use of 12 bots. Therefore I suggest you check all your mods and make sure they are protected from DDoS attacks. |
#7
|
|||
|
|||
Well, I'm not that much of a guru when it comes to linux, this IPtables term is totally new to me so I had to be a little creative, So I changed the mechanism of the mod that I had in mind the first time I thought of it.
Now its working this way, a visitor opens up a page from my forum, php generates an md5 hash for him, then shortens it to only 6 chars and stores it in a session variable, and shows a form with a ( Click me button ). when the visitors clicks that button, a hidden field named 'h' (short for hash) is submitted and compared with the session variable already stored. So it works sort of like the session id concept now. btw, I used GET method in that form to get around that security token issue when you post a form to a vb script that has CSRF protection turned on. Sometimes this helps, specially when the ppl who r attacking you r not that smart, or not too many! Anyways the attack has stopped, and I can go on with my life now , I'll be posting any other kind of solution for this problem that I find. Thanks |
#8
|
|||
|
|||
If your actually being DDoS'd and its already in progress, 99% of the time you won't even be able to access your server, you will need to speak to your host, your not going to stop a DDoS attack with anything via the server/forums, the attack needs to be stopped at the router level if the server is already over whelmed with the mass request attack.
As well as some posts here say, your hacks arent whats being attacked via DDoS, DDoS attacks happen at the NIC level and is targeting things such as echo/ping requests and flooding the server with to many requests. An attack on a poorly written PHP page isn't really considered a DDoS attack. |
#9
|
|||
|
|||
Hello Snake,
obviously, I'm not an owner of a site that would get a 1000 users with broadband connections to actually DDoS him and flood the NIC itself! , neither 99% of forum owners here are! What your talking about happens to site like Yahoo! for crying out load!, while what I'm talking about is some softwares being spread between users and script kiddies with good connections that make repetitive requests to database driven sites causing the mysql server to crash the whole server!. What I'm saying here is .... Imagine the difference between sending 30 queries a 1000 times in one second, and processing a simple html page I think there is a huge difference when u see it that way, of course only in cases like mine, not the mass-destructive cases ur talking about Another point to be considered is that about 70% (maybe more I dont know) of database driven websites are not on a dedicated server, so when a site causes a server to crash, the hosting company will advise the site owner to get a dedicated server, or simply kicks him out!. Also hosting companies does not offer DDoS protection for free, so another possible respond would be advising the site owner to get a DDoS protection and pay huge extra fees monthly. Ask me, I'm hosted with iWEB ! You said : Quote:
Quote:
Anyways, the solution actually worked, on some level ... So I guess I'll stick to the idea and try to develop it a little bit more so it involves IPtables maybe. |
#10
|
|||
|
|||
I think you need to identify the attack first before you try blocking it. Are you sure its not just a simple syn flood attack? Which is rather simple to block. Even then if they're making multiple connections to your server per second you can block them using iptables.
iptables -A BADGUY -p tcp --syn --dport 80 -m recent --name dos --update --seconds 10 --hitcount 16 -j DROP |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|