HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   how to analyze a DOS attack? (http://www.howtoforge.com/forums/showthread.php?t=55878)

Ovidiu 23rd January 2012 10:35

how to analyze a DOS attack?
 
I think some script kiddie or similar is having fun targeting my server. happened about 3 times in the last 3 weeks. server would come to a stand still and all I can still see is that all 4GB of RAM is begin used and about 5GB of swapping done. countless apache2 threads and php-cgi processes. Munin show a huge spike in traffic.
everything is becoming so slow that only a reboot can help.

now how would I analyze my log files to see which site was being targeted and which IP or IPs the attack came from?

can one use some iptables rules to block i.e. incoming packets from any IPs that are asking for a site too often, within certain limits?

I did a search for some tools and found these 3

http://www.rfxn.com/projects/advanced-policy-firewall/
http://www.rfxn.com/projects/process-resource-monitor/
http://www.rfxn.com/projects/system-integrity-monitor/

but do I really need something like that?

I already added mod_dosevasive but that won't help that much since the apache and php_cgi processes still get spawned even though the visitor gets a 403 error he has still kept my server busy.

any advice and help here?

Ovidiu 25th January 2012 15:48

I have done some reading and I think I am looking for a cross between Fail2ban and mod_dosevasive.

Any advice for me pelase?


All times are GMT +2. The time now is 20:29.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.