Go Back   vb.org Archive > Community Discussions > Forum and Server Management
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-25-2008, 05:18 AM
Sycosphere Sycosphere is offline
 
Join Date: May 2007
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default DDoS causing Server to Crash, Asking for Mod

Hello,
My site has been under heavy DDoS attacks for the past month!, it seems like they are using vBulletin against the server since the index page has many queries, and running the index page for say 500 times/second would send thousands of queries to the Mysql server causing it to crash over and over again.

Since vb.org is the official site for vbulletin modifications, I was thinking of an easy solution that I couldnt make, I'm a beginner PHP programmer but havnt got into vb mods programming yet. The idea was to create a modification that applys to all the templates, simply checking for a session variable ( $_SESSION['human'] ) , cookies or both. if they exist than its a real user, otherwise its a bot or a just a visitor.
If its a visitor than the mod would show a little form with one submit button ( Click me to enter ). the form would assign the ( human ) session variable and show the previously requested URL.
This would prevent requesting all the queries on the index page (or any other page) and replace it with a harmful, light and query-less page when detecting a non-human or a user without cookies.

See the PHP code below to better understanding of the idea:
PHP Code:
IF ( !isset($_SESSION['human') || !isset($_COOKIE['prefix_userid'])) {
    
show a form with a submit button Click to enter ).
} else { 
    (
Show the requested page ).
}
///////////////////
The form processing code would be something similar to this 
IF (isset(
$_POST['click_me']))  {
    
$_SESSION['human']==1;

The mode would simply be applied to the header to prevent loading any unnecessary data that would consume server resources during a DDoS attack, memebers wont need a variable to tell vb they're human since they have a userid cookie, visitors would need such confirmation. thats it!

I hope you guys got the idea, and hope one of you is gonna be able to do it in the next 2 or 3 days. I'm really in need for it, its just that I'm too busy upgrading to a dedicated server to learn the vBulletin coding HowTo's now!

BTW, sorry for the bad english, after all its a second language to me!
Thanks
Reply With Quote
  #2  
Old 08-25-2008, 02:53 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I saw a suggestion that you simply add an htaccess file to the forum directory with password protection when you are under a dos attack. You can put the username and password right on the form but since bots don't read them, they won't get in, but since your users can read, they just enter the information once and are in.
Reply With Quote
  #3  
Old 08-26-2008, 04:56 AM
Sycosphere Sycosphere is offline
 
Join Date: May 2007
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Lynne,
I already tried that, there seem to be only one problem with this solution, about 95% of my visitors Arabians and htaccess files will show any arabic text as a rubbish.
I thought of this solution coz the ppl who are attacking my forum are using it ! I just understood the mechanism of it. and it seem to be working for them!

BTW, using this way a webmaster could even allow search spiders to surf the site by checking its browser or somethin that could tell them apart from other kinds of bots.

Thanks
Reply With Quote
  #4  
Old 09-06-2008, 08:14 PM
Sycosphere Sycosphere is offline
 
Join Date: May 2007
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi,
There seems to be another problem with your suggestion Lynne, which is that some DDoS softwares now have the ability to bypass htaccess firewalls by simply going to the site, getting the username and password shown in the msg, and then entering them in the software itself and that would make the proxies able to enter that username and password when requesting the site! .
I guess this way is gone with the old days now, anyways , I've managed to create that firewall myelf, I'll be posting it here soon
Reply With Quote
  #5  
Old 09-06-2008, 09:04 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is suppose you could be right (I really don't know). I have not solved our dos problems by doing that. We used a script that filled up our iptables with all ips that were pounding our server. It was still a painful four days, but you could get on the site.

I hate people who have too much time on their hands and think it would be fun to dos a site!
Reply With Quote
  #6  
Old 09-07-2008, 11:57 AM
2guys1forum 2guys1forum is offline
 
Join Date: Mar 2008
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have tried these things but the only thing that seems to work is to have a strong IPtables setup, otherwise the DDoS will just continue. Also make sure that it is not one of the vBulletin mods you have installed is being DDoS'ed as it is easy to do so.

I had a shoutbox installed which was easy to DDoS and that is how my forums got DDoS'ed with only the use of 12 bots. Therefore I suggest you check all your mods and make sure they are protected from DDoS attacks.
Reply With Quote
  #7  
Old 09-08-2008, 05:55 AM
Sycosphere Sycosphere is offline
 
Join Date: May 2007
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, I'm not that much of a guru when it comes to linux, this IPtables term is totally new to me so I had to be a little creative, So I changed the mechanism of the mod that I had in mind the first time I thought of it.
Now its working this way, a visitor opens up a page from my forum, php generates an md5 hash for him, then shortens it to only 6 chars and stores it in a session variable, and shows a form with a ( Click me button ). when the visitors clicks that button, a hidden field named 'h' (short for hash) is submitted and compared with the session variable already stored. So it works sort of like the session id concept now.
btw, I used GET method in that form to get around that security token issue when you post a form to a vb script that has CSRF protection turned on.

Sometimes this helps, specially when the ppl who r attacking you r not that smart, or not too many!

Anyways the attack has stopped, and I can go on with my life now , I'll be posting any other kind of solution for this problem that I find.

Thanks
Reply With Quote
  #8  
Old 09-08-2008, 10:07 AM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If your actually being DDoS'd and its already in progress, 99% of the time you won't even be able to access your server, you will need to speak to your host, your not going to stop a DDoS attack with anything via the server/forums, the attack needs to be stopped at the router level if the server is already over whelmed with the mass request attack.

As well as some posts here say, your hacks arent whats being attacked via DDoS, DDoS attacks happen at the NIC level and is targeting things such as echo/ping requests and flooding the server with to many requests. An attack on a poorly written PHP page isn't really considered a DDoS attack.
Reply With Quote
  #9  
Old 09-09-2008, 05:01 PM
Sycosphere Sycosphere is offline
 
Join Date: May 2007
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello Snake,
obviously, I'm not an owner of a site that would get a 1000 users with broadband connections to actually DDoS him and flood the NIC itself! , neither 99% of forum owners here are!
What your talking about happens to site like Yahoo! for crying out load!, while what I'm talking about is some softwares being spread between users and script kiddies with good connections that make repetitive requests to database driven sites causing the mysql server to crash the whole server!. What I'm saying here is .... Imagine the difference between sending 30 queries a 1000 times in one second, and processing a simple html page
I think there is a huge difference when u see it that way, of course only in cases like mine, not the mass-destructive cases ur talking about

Another point to be considered is that about 70% (maybe more I dont know) of database driven websites are not on a dedicated server, so when a site causes a server to crash, the hosting company will advise the site owner to get a dedicated server, or simply kicks him out!.
Also hosting companies does not offer DDoS protection for free, so another possible respond would be advising the site owner to get a DDoS protection and pay huge extra fees monthly. Ask me, I'm hosted with iWEB !

You said :
Quote:
your not going to stop a DDoS attack with anything via the server/forums
Well, Lynne here had another opinion:
Quote:
We used a script that filled up our iptables with all ips that were pounding our server. It was still a painful four days, but you could get on the site.
btw, I dont know why I get the feeling that you thought I said that they are attacking one of hacks, well .. I didnt, they're simply attacking different vbulletin scripts like index.php, image.php, misc.php ... etc, I wouldnt exactly call vb a "poorly written php page".

Anyways, the solution actually worked, on some level ... So I guess I'll stick to the idea and try to develop it a little bit more so it involves IPtables maybe.
Reply With Quote
  #10  
Old 09-09-2008, 10:28 PM
fatal1980 fatal1980 is offline
 
Join Date: Jul 2006
Posts: 68
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think you need to identify the attack first before you try blocking it. Are you sure its not just a simple syn flood attack? Which is rather simple to block. Even then if they're making multiple connections to your server per second you can block them using iptables.

iptables -A BADGUY -p tcp --syn --dport 80 -m recent --name dos --update --seconds 10 --hitcount 16 -j DROP
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:40 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04473 seconds
  • Memory Usage 2,264KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete