View Single Post
  #1  
Old 23rd January 2012, 10:35
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,258
Thanks: 76
Thanked 23 Times in 19 Posts
Default how to analyze a DOS attack?

I think some script kiddie or similar is having fun targeting my server. happened about 3 times in the last 3 weeks. server would come to a stand still and all I can still see is that all 4GB of RAM is begin used and about 5GB of swapping done. countless apache2 threads and php-cgi processes. Munin show a huge spike in traffic.
everything is becoming so slow that only a reboot can help.

now how would I analyze my log files to see which site was being targeted and which IP or IPs the attack came from?

can one use some iptables rules to block i.e. incoming packets from any IPs that are asking for a site too often, within certain limits?

I did a search for some tools and found these 3

http://www.rfxn.com/projects/advanced-policy-firewall/
http://www.rfxn.com/projects/process-resource-monitor/
http://www.rfxn.com/projects/system-integrity-monitor/

but do I really need something like that?

I already added mod_dosevasive but that won't help that much since the apache and php_cgi processes still get spawned even though the visitor gets a 403 error he has still kept my server busy.

any advice and help here?
Reply With Quote
Sponsored Links