Unsere Game Server bekommt DDos Attacke aus Argentinien und manchmal auch aus andere Länder. Wir haben Iptables, APF etc aber es hilft nicht. Wenn unsere Administratoren gerade online sind, machen sie es über netstat + apf/iptables übers SSH mit folgendem Schritte:
netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more
Dadurch sieht man IP von Attackers.
Und dann blockiert man sie mit:
apf -d 123.456.789.112
iptables -I INPUT -s 123.456.789.123 -j DROP
Aber man kann nie 24 Stunden online sein und rumd um die Uhr alles überwachen. Dafür sollte man automatisierte Lösungen haben.
Es ist ratsam sich die Pakete
Es ist ratsam sich die Pakete näher anzuschauen, um eigene Filter zu schreiben. Einige Sequenzen sind typisch für bestimmte DDoS Tools. Einige haben als HTTP-USER-AGENT einen bestimmten String.
Am besten mit einem Tool wie tcpdump den Netzwerkstrom aufzeichnen und später mit tcpdump oder wireshark analysieren.
Den Netzwerkstrom aufzeichenen und als "ddos.pcap" speichern.
sudo tcpdump -w ddos.pcap
Man kann auch den Traffic von eine bestimmte IP Adresse speichern.
sudo tcpdump host 192.168.1.1 -w ddos.pcap
wenn der Apache Server
wenn der Apache Server angegriffen wird, kannst du die Requests also die Anfragen an den Server mit dem Programm apachetop anzeigen lassen.
Installation:
apt-get install apachetop
apachetop benötigt als Parameter die access_log der Webseite, die man überwachen möchte.
apachetop -f /var/log/virtualmin/WEBSEITE_access_log
So sieht die Ausgabe von dem Tool ( IP Adressen wurden zensiert)
last hit: 19:02:48 atop runtime: 0 days, 00:05:13 19:02:48
All: 303 reqs ( 1.0/sec) 699.4K ( 2303.0B/sec) 2363.8B/req
2xx: 162 (53.5%) 3xx: 108 (35.6%) 4xx: 33 (10.9%) 5xx: 0 ( 0.0%)
R ( 29s): 28 reqs ( 1.0/sec) 60.1K ( 2122.4B/sec) 2198.2B/req
2xx: 17 (60.7%) 3xx: 8 (28.6%) 4xx: 3 (10.7%) 5xx: 0 ( 0.0%)
REQS REQ/S KB KB/S HOST
9 0.31 2.9 0.1*76...
4 0.15 18.9 0.7 178...
3 0.10 13.6 0.5 66...
3 0.21 10.0 0.7 95...
2 0.13 9.2 0.6 66...
2 0.08 0.5 0.0 50...
2 0.13 1.8 0.1 91...
2 0.08 2.9 0.1 93...
1 0.10 0.2 0.0 38...
Mit der Taste 'd' kann beim Anzeigen der Statistiken zwischen IP Adressen und Referrer wechseln
Vielen Dank für die wichtige
Vielen Dank für die wichtige Information. Diese Seite habe ich mir als Lesezeichen gespeichert!
Öfters wird die MySQL
Öfters wird die MySQL Datenbank durch DDoS in die Knie gezwungen. Deswegen ist es sinnvoll, dass man auch die Datenbank überwacht. Dazu kann man die MySQL Konsole verwenden.
mysql -u root -p
mysql status anzeigen
mysql> show status;
+-----------------------------------+------------+
| Variable_name | Value |
+-----------------------------------+------------+
| Aborted_clients | 1007 |
| Aborted_connects | 0 |
| Binlog_cache_disk_use | 0 |
| Binlog_cache_use | 0 |
| Bytes_received | 502 |
| Bytes_sent | 3318 |
| Com_admin_commands | 0 |
| Com_assign_to_keycache | 0 |
| Com_alter_db | 0 |
| Com_alter_db_upgrade | 0 |
| Com_alter_event | 0 |
| Com_alter_function | 0 |
| Com_alter_procedure | 0 |
| Com_alter_server | 0 |
| Com_alter_table | 0 |
| Com_alter_tablespace | 0 |
| Com_analyze | 0 |
| Com_backup_table | 0 |
| Com_begin | 0 |
| Com_binlog | 0 |
| Com_call_procedure | 0 |
| Com_change_db | 0 |
| Com_change_master | 0 |
| Com_check | 0 |
| Com_checksum | 0 |
| Com_commit | 0 |
| Com_create_db | 0 |
| Com_create_event | 0 |
| Com_create_function | 0 |
| Com_create_index | 0 |
| Com_create_procedure | 0 |
| Com_create_server | 0 |
| Com_create_table | 0 |
| Com_create_trigger | 0 |
| Com_create_udf | 0 |
| Com_create_user | 0 |
| Com_create_view | 0 |
| Com_dealloc_sql | 0 |
| Com_delete | 0 |
| Com_delete_multi | 0 |
| Com_do | 0 |
| Com_drop_db | 0 |
| Com_drop_event | 0 |
| Com_drop_function | 0 |
| Com_drop_index | 0 |
| Com_drop_procedure | 0 |
| Com_drop_server | 0 |
| Com_drop_table | 0 |
| Com_drop_trigger | 0 |
| Com_drop_user | 0 |
| Com_drop_view | 0 |
| Com_empty_query | 0 |
| Com_execute_sql | 0 |
| Com_flush | 0 |
| Com_grant | 0 |
| Com_ha_close | 0 |
| Com_ha_open | 0 |
| Com_ha_read | 0 |
| Com_help | 0 |
| Com_insert | 0 |
| Com_insert_select | 0 |
| Com_install_plugin | 0 |
| Com_kill | 0 |
| Com_load | 0 |
| Com_load_master_data | 0 |
| Com_load_master_table | 0 |
| Com_lock_tables | 0 |
| Com_optimize | 0 |
| Com_preload_keys | 0 |
| Com_prepare_sql | 0 |
| Com_purge | 0 |
| Com_purge_before_date | 0 |
| Com_release_savepoint | 0 |
| Com_rename_table | 0 |
| Com_rename_user | 0 |
| Com_repair | 0 |
| Com_replace | 0 |
| Com_replace_select | 0 |
| Com_reset | 0 |
| Com_restore_table | 0 |
| Com_revoke | 0 |
| Com_revoke_all | 0 |
| Com_rollback | 0 |
| Com_rollback_to_savepoint | 0 |
| Com_savepoint | 0 |
| Com_select | 1 |
| Com_set_option | 0 |
| Com_show_authors | 0 |
| Com_show_binlog_events | 0 |
| Com_show_binlogs | 0 |
| Com_show_charsets | 0 |
| Com_show_collations | 0 |
| Com_show_column_types | 0 |
| Com_show_contributors | 0 |
| Com_show_create_db | 0 |
| Com_show_create_event | 0 |
| Com_show_create_func | 0 |
| Com_show_create_proc | 0 |
| Com_show_create_table | 0 |
| Com_show_create_trigger | 0 |
| Com_show_databases | 0 |
| Com_show_engine_logs | 0 |
| Com_show_engine_mutex | 0 |
| Com_show_engine_status | 0 |
| Com_show_events | 0 |
| Com_show_errors | 0 |
| Com_show_fields | 0 |
| Com_show_function_status | 0 |
| Com_show_grants | 0 |
| Com_show_keys | 0 |
| Com_show_master_status | 0 |
| Com_show_new_master | 0 |
| Com_show_open_tables | 0 |
| Com_show_plugins | 0 |
| Com_show_privileges | 0 |
| Com_show_procedure_status | 0 |
| Com_show_processlist | 0 |
| Com_show_profile | 0 |
| Com_show_profiles | 0 |
| Com_show_slave_hosts | 0 |
| Com_show_slave_status | 0 |
| Com_show_status | 12 |
| Com_show_storage_engines | 0 |
| Com_show_table_status | 0 |
| Com_show_tables | 0 |
| Com_show_triggers | 0 |
| Com_show_variables | 0 |
| Com_show_warnings | 0 |
| Com_slave_start | 0 |
| Com_slave_stop | 0 |
| Com_stmt_close | 0 |
| Com_stmt_execute | 0 |
| Com_stmt_fetch | 0 |
| Com_stmt_prepare | 0 |
| Com_stmt_reprepare | 0 |
| Com_stmt_reset | 0 |
| Com_stmt_send_long_data | 0 |
| Com_truncate | 0 |
| Com_uninstall_plugin | 0 |
| Com_unlock_tables | 0 |
| Com_update | 0 |
| Com_update_multi | 0 |
| Com_xa_commit | 0 |
| Com_xa_end | 0 |
| Com_xa_prepare | 0 |
| Com_xa_recover | 0 |
| Com_xa_rollback | 0 |
| Com_xa_start | 0 |
| Compression | OFF |
| Connections | 2303 |
| Created_tmp_disk_tables | 0 |
| Created_tmp_files | 7 |
| Created_tmp_tables | 0 |
| Delayed_errors | 0 |
| Delayed_insert_threads | 0 |
| Delayed_writes | 0 |
| Flush_commands | 1 |
| Handler_commit | 0 |
| Handler_delete | 0 |
| Handler_discover | 0 |
| Handler_prepare | 0 |
| Handler_read_first | 0 |
| Handler_read_key | 0 |
| Handler_read_next | 0 |
| Handler_read_prev | 0 |
| Handler_read_rnd | 0 |
| Handler_read_rnd_next | 0 |
| Handler_rollback | 0 |
| Handler_savepoint | 0 |
| Handler_savepoint_rollback | 0 |
| Handler_update | 0 |
| Handler_write | 0 |
| Innodb_buffer_pool_pages_data | 125 |
| Innodb_buffer_pool_pages_dirty | 21 |
| Innodb_buffer_pool_pages_flushed | 11669 |
| Innodb_buffer_pool_pages_free | 0 |
| Innodb_buffer_pool_pages_misc | 3 |
| Innodb_buffer_pool_pages_total | 128 |
| Innodb_buffer_pool_read_ahead_rnd | 0 |
| Innodb_buffer_pool_read_ahead_seq | 4519 |
| Innodb_buffer_pool_read_requests | 55646996 |
| Innodb_buffer_pool_reads | 50998 |
| Innodb_buffer_pool_wait_free | 0 |
| Innodb_buffer_pool_write_requests | 203155 |
| Innodb_data_fsyncs | 9419 |
| Innodb_data_pending_fsyncs | 1 |
| Innodb_data_pending_reads | 0 |
| Innodb_data_pending_writes | 0 |
| Innodb_data_read | 1050267648 |
| Innodb_data_reads | 55487 |
| Innodb_data_writes | 18346 |
| Innodb_data_written | 396803072 |
| Innodb_dblwr_pages_written | 11669 |
| Innodb_dblwr_writes | 574 |
| Innodb_log_waits | 0 |
| Innodb_log_write_requests | 24906 |
| Innodb_log_writes | 8184 |
| Innodb_os_log_fsyncs | 8338 |
| Innodb_os_log_pending_fsyncs | 1 |
| Innodb_os_log_pending_writes | 0 |
| Innodb_os_log_written | 14384128 |
| Innodb_page_size | 16384 |
| Innodb_pages_created | 314 |
| Innodb_pages_read | 63970 |
| Innodb_pages_written | 11669 |
| Innodb_row_lock_current_waits | 0 |
| Innodb_row_lock_time | 31978 |
| Innodb_row_lock_time_avg | 1142 |
| Innodb_row_lock_time_max | 11384 |
| Innodb_row_lock_waits | 28 |
| Innodb_rows_deleted | 11700 |
| Innodb_rows_inserted | 7319 |
| Innodb_rows_read | 18748874 |
| Innodb_rows_updated | 1373 |
| Key_blocks_not_flushed | 0 |
| Key_blocks_unused | 13297 |
| Key_blocks_used | 424 |
| Key_read_requests | 288892 |
| Key_reads | 8237 |
| Key_write_requests | 304 |
| Key_writes | 267 |
| Last_query_cost | 0.000000 |
| Max_used_connections | 72 |
| Not_flushed_delayed_rows | 0 |
| Open_files | 5 |
| Open_streams | 0 |
| Open_table_definitions | 256 |
| Open_tables | 64 |
| Opened_files | 3610 |
| Opened_table_definitions | 0 |
| Opened_tables | 0 |
| Prepared_stmt_count | 0 |
| Qcache_free_blocks | 1047 |
| Qcache_free_memory | 2913656 |
| Qcache_hits | 369905 |
| Qcache_inserts | 14382 |
| Qcache_lowmem_prunes | 8214 |
| Qcache_not_cached | 2250 |
| Qcache_queries_in_cache | 3372 |
| Qcache_total_blocks | 8372 |
| Queries | 402608 |
| Questions | 14 |
| Rpl_status | NULL |
| Select_full_join | 0 |
| Select_full_range_join | 0 |
| Select_range | 0 |
| Select_range_check | 0 |
| Select_scan | 0 |
| Slave_open_temp_tables | 0 |
| Slave_retried_transactions | 0 |
| Slave_running | OFF |
| Slow_launch_threads | 0 |
| Slow_queries | 0 |
| Sort_merge_passes | 0 |
| Sort_range | 0 |
| Sort_rows | 0 |
| Sort_scan | 0 |
| Ssl_accept_renegotiates | 0 |
| Ssl_accepts | 0 |
| Ssl_callback_cache_hits | 0 |
| Ssl_cipher | |
| Ssl_cipher_list | |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_ctx_verify_depth | 0 |
| Ssl_ctx_verify_mode | 0 |
| Ssl_default_timeout | 0 |
| Ssl_finished_accepts | 0 |
| Ssl_finished_connects | 0 |
| Ssl_session_cache_hits | 0 |
| Ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | NONE |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 0 |
| Ssl_session_cache_timeouts | 0 |
| Ssl_sessions_reused | 0 |
| Ssl_used_session_cache_entries | 0 |
| Ssl_verify_depth | 0 |
| Ssl_verify_mode | 0 |
| Ssl_version | |
| Table_locks_immediate | 33363 |
| Table_locks_waited | 0 |
| Tc_log_max_pages_used | 0 |
| Tc_log_page_size | 0 |
| Tc_log_page_waits | 0 |
| Threads_cached | 5 |
| Threads_connected | 21 |
| Threads_created | 279 |
| Threads_running | 21 |
| Uptime | 4818 |
| Uptime_since_flush_status | 4818 |
+-----------------------------------+------------+
291 rows in set (0.00 sec)
mysql> show status like '%threads%';#
+------------------------+-------+
| Variable_name | Value |
+------------------------+-------+
| Delayed_insert_threads | 0 |
| Slow_launch_threads | 0 |
| Threads_cached | 3 |
| Threads_connected | 29 |
| Threads_created | 227 |
| Threads_running | 29 |
+------------------------+-------+
6 rows in set (0.00 sec)
Laufende MySQL Prozesse anzeigen
mysql> show processlist;
+------+-------+-----------+----------+---------+------+----------------------+------------------------------------------------------------------------------------------------------+
| Id | User | Host | db | Command | Time | State | Info |
+------+-------+-----------+----------+---------+------+----------------------+------------------------------------------------------------------------------------------------------+
| 196 | kpost | localhost | NULL | Query | 0 | NULL | show processlist |
| 2329 | kpost | localhost | mysite | Query | 2 | freeing items | INSERT INTO captcha_sessions (uid, sid, ip_address, timestamp, form_id, solution, status, attempts) |
| 2332 | kpost | localhost | mysite | Query | 2 | update | INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, ti |
| 2333 | kpost | localhost | mysite | Query | 2 | NULL | commit |
| 2334 | kpost | localhost | mysite | Query | 2 | statistics | SELECT status FROM captcha_sessions WHERE csid = '3544143' |
| 2337 | kpost | localhost | mysite | Query | 10 | Sending data | SELECT source, alias FROM url_alias WHERE source IN ('node/3618', 'taxonomy/term/58', 'taxonomy/term |
| 2338 | kpost | localhost | mysite | Query | 2 | statistics | SELECT cid, data, created, expire, serialized FROM cache_menu WHERE cid IN ('links:user-menu:page:ta |
| 2339 | kpost | localhost | mysite | Query | 2 | statistics | SELECT cid, data, created, expire, serialized FROM cache_field WHERE cid IN ('field:node:2842') |
| 2340 | kpost | localhost | mysite | Query | 2 | Copying to tmp table | SELECT node.title AS node_title, node.nid AS nid, node.language AS node_language, node_counter.total |
| 2341 | kpost | localhost | mysite | Query | 2 | Copying to tmp table | SELECT node.title AS node_title, node.nid AS nid, node.language AS node_language, node_counter.total |
| 2342 | kpost | localhost | mysite | Query | 2 | freeing items | INSERT INTO captcha_sessions (uid, sid, ip_address, timestamp, form_id, solution, status, attempts) |
| 2343 | kpost | localhost | mysite | Query | 2 | Sending data | SELECT ml.*, m.*, ml.weight AS link_weight
FROM
menu_links ml
LEFT OUTER JOIN menu_router m ON m.pa |
| 2344 | kpost | localhost | mysite | Query | 2 | Sorting result | SELECT source FROM url_alias WHERE alias = 'comment/11745' AND language IN ('de', 'und') ORDER BY la |
| 2345 | kpost | localhost | mysite | Query | 2 | statistics | SELECT cid, data, created, expire, serialized FROM cache_path WHERE cid IN ('node/3654') |
+------+-------+-----------+----------+---------+------+----------------------+------------------------------------------------------------------------------------------------------+
Mit TCPDump kann man auch die
Mit TCPDump kann man auch die Pakete analysieren.
Aufzeichnen
tcpdump -v -n -w angreifer.pcap dst port 80 -c 2500
auswerten:
:~# tcpdump -nr angreifer.pcap | awk '{print $3}' |grep -oE '[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}' |sort | uniq -c |sort -rn
reading from file angreifer.pcap, link-type LINUX_SLL (Linux cooked)
724 x.105.77.138
539 x.161.43.197
174 x.227.140.114
135 x.97.154.31
116 x.55.32.57
114 x.161.51.149
104 x.131.184.85
96 x.183.161.20
48 x.55.32.142
Letztens war meine Webseite
Letztens war meine Webseite sehr sehr langsam und ein Request hat bis zu 10 Sekunden gedauert. Nach stundenlanger Recherche habe ich den fehler gefunden. Vielleicht hat der eine oder andere auch das Problem gehabt.
[Mon Sep 16 13:12:46 2013] [error] server reached MaxClients setting, consider raising the MaxClients setting
Das Problem war, dass die MaxClients Anzahl überschritten war und somit keine weitere Verbindungen erstellt werden konnten.
Habe unter /etc/apache2/apache2.conf den Anzahl verdoppelt und die aktuelle Konfiguartion mit /etc/init.d/apache2 reload geladen.
Man kann auch mit iptables
Man kann auch mit iptables Syn Flood verhindern
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 12/second --limit-burst 60 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
Pro Sekunde dürfen nur 12 Verbindungen aufgebaut werden, sobald diese über 60 sind wird die IP Adresse blockiert.
Mit dem Befehl soll man die
Mit dem Befehl soll man die parallele Verbindungen auf HTTP limitieren, hat Jemand Erfahrung damit? Kann ich auch damit Google Bots blockieren?
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
Nach 200 aufgebauten Verbindungen dürfen nur noch 50 paralelle Verbindungen existieren, sonst wird die IP Adresse blockiert. Habe ich es richtig verstanden?
Netzwerktechnik ist nicht
Netzwerktechnik ist nicht mein Schwerpunkt. Ist überhaupt sinnvoll einzele IPs zu blockieren, um DDOS-Angriff zu verhindern?
Soweit ich weiß, nutzen Hacker für DDOS-Attacken sehr viele PCs mit unterschiedlichen IP, die sich nach Sekunden ändern. Was bringt denn da, einzelne IPs zu blockieren?
Comments
iptables -I INPUT -s 123.456… Do, 03/22/2018 - 02:56
iptables -I INPUT -s 123.456.789.123 -j DROP -m comment --comment \"comments for blocking this ip\"
Neuen Kommentar schreiben