The Arcive of Official vBulletin Modifications Site.

Sycosphere · #11 09-10-2008, 11:02 AM

OK fatal, I'm not a 100% about the type of this attack, and as I mentioned before, I dont have that much of an experience with linux, so let me describe the attack:
I have my forum in /vb/ directory, the ppl who were attacking me were attacking that specific directory only, I noticed that because when I felt that the server is slowing down I changed the folder's name through ssh, and it worked! .. so this told me that the attack is not on the network level, its mainly directed to www.sycoz.com/vb only .
When the attack starts, whenever I try to open a page it just keeps loading and loading without any response from the server, once the attacks stops, the server goes back to its normal condition!.
At one time I was talking with the attacker on yahoo chat, he told me that he's gonna attack in a few seconds, I opened my forum and it was completely normal, then he told me to refresh and when I did the server was not giving any response !, a dedicated server gets jammed by only one user and in a few seconds !!!

Ok now I hope you guys have enough info and may be able to define the type of the attack, and btw, I could provide a link to the software they're using, please PM for it if your interested in ending this headache for me and for many other forum owners

Thanks

royo · #12 09-10-2008, 11:19 AM

In /etc/sysctl.conf you may want to try changing the following
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=1536

After that use the command sysctl -p to reload the config.

I'm not 100% sure on this so you may want to remember the default values you are using and switch it back if it isn't working.

Kendothpro · #13 09-11-2008, 12:16 PM

The best solution would probably be to install mod_evasive directly on your apache server..it allows you to set the max number of requests per second per client...anything above will only get an access denied message

Angel-Wings · #14 09-11-2008, 07:35 PM

Quote:

Originally Posted by Kendothpro

The best solution would probably be to install mod_evasive directly on your apache server

No - this wouldn't help. This mod works on a "per" client base, this isn't useful for Distributed Attacks like a dDoS and so could do more damage.
Until this mod reacted and blocked a client, the next proxy / bot is used already

Sycosphere · #15 09-12-2008, 11:07 AM

Ok guys, you all seem to agree that this is a SYN flood attack, any other opinions?
And if it IS a SYN attack, could someone with the proper experience possibly give us a solution that he/she is 100% sure that it works?
This topic has become more like a discussion, so lets put it together and offer a solution that would work for atleast 80% of the people that are having the same problem that Iam having.

BTW, Lynne, can you give me the name of that script you guys used ?

Waiting for more opinions guys

Lynne · #16 09-12-2008, 02:16 PM

Quote:

Originally Posted by Sycosphere

BTW, Lynne, can you give me the name of that script you guys used ?

Hehe. It's called "scott.sh" Scott is the guy I hire to do stuff to our server and he wrote the code for us. It's just grabs the ip or anyone pounding the tracker, throws the ip into a file and then the file is input into the iptables.

Sycosphere · #17 09-12-2008, 02:34 PM

Lolz, I guess no one will ever gonna wanna use a script named scott anyway/joke
OK Lynne, I guess I'll have to finish my exams and start digging deep in this IPtables thing and linux generally, coz from now on I'm responsible of our server's management.

Thanks anyway Lynne, big thanks to all the guys who participated here, and it would be very nice to have others replying with useful opinions

Shazz · #18 09-12-2008, 11:29 PM

If this is not resolved yet I would be happy to help you out over instant messenger just PM me for it or check my profile.

Alot of hosts are on apache and do not specialize in these types of attacks, Ive had huge DDos attacks that bypass every firewall you install or any script you put in including reverse DNS etc.

Just give me a shout if you run out of options..

Sycosphere · #19 09-13-2008, 09:23 AM

Well Shazz, thats very nice of you, I added you on yahoo chat and will be talking to you when u get online, thanks in advance

btw ppl, I we ( me & Shazz ) could figure out a solution that acualy works than I'll be posting some kind of a HOWTO here about it, just to help other site owners get through this kind of attacks in the future

space? · #20 09-13-2008, 05:47 PM

Quote:

Originally Posted by Lynne

Hehe. It's called "scott.sh" Scott is the guy I hire to do stuff to our server and he wrote the code for us. It's just grabs the ip or anyone pounding the tracker, throws the ip into a file and then the file is input into the iptables.

Sorry, I don't understand this one. If every visitors IP is listed and blocked in the iptables - who can use the board anymore?

Quote:

Originally Posted by Sycosphere

btw ppl, I we ( me & Shazz ) could figure out a solution that acualy works than I'll be posting some kind of a HOWTO here about it, just to help other site owners get through this kind of attacks in the future

looking forward to it

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07600 seconds Memory Usage 2,257KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!