Webserver Attack
79 replies23.06.12 09:55:38 pm
Looks like Counter-Strike 2D servers are not the only target of those slightly retarded kids. My webserver has been attacked today, leading to bad accessibility of all Unreal Software websites.
I blocked the attacking IP (50.72.86.162) now. I assume that it overloaded the webserver the entire day.
I want to note that this will be examined and it will draw legal consequences if I'm able to find out who is responsible for this.
Sorry to everyone who wasn't able to access the website because of this.
I blocked the attacking IP (50.72.86.162) now. I assume that it overloaded the webserver the entire day.
I want to note that this will be examined and it will draw legal consequences if I'm able to find out who is responsible for this.
Sorry to everyone who wasn't able to access the website because of this.
edited 1×, last 19.07.12 12:07:07 am
Was it really only 1 IP? Doesn't apache/httpd automatically give out 500s for overloading requests? Perhaps you should set that up properly.
@
PyKemis: No I'm not sure if it was just one IP. I didn't examine the logfiles yet. I just know that there was a suspiciously high amount of TCP connections from the mentioned IP so I iptable banned it and the server worked well since that. Maybe a Syn-Flood or something else. I didn't examine it yet.
Before doing that I already tried a shitload of Apache configurations to solve the problem. Apache always reached the maximum number of connections within a few minutes, even if I set them to something like 3000 (a value which is never reached even closely... normally). I know how to setup a webserver properly, that's not the problem...

Before doing that I already tried a shitload of Apache configurations to solve the problem. Apache always reached the maximum number of connections within a few minutes, even if I set them to something like 3000 (a value which is never reached even closely... normally). I know how to setup a webserver properly, that's not the problem...

The reason I say that is because, during the attack, I tried to connect to unreal, and it did try to load the website.
If max connections have been initialized/declared then it should have sent me a 503--which I never got.
If max connections have been initialized/declared then it should have sent me a 503--which I never got.

Code:
1
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
This one would work great against 80% of TCP attacks (change number to desired, of course, I stick with 9). Dropping when many IP addresses are performing DDoS attack on your server.
edited 2×, last 23.06.12 10:25:10 pm
The attacker can hide/change his ip right?
Because this ip is Canadian.Canadian crasher doesn't make sense
.
Because this ip is Canadian.Canadian crasher doesn't make sense


Because this ip is Canadian,it doesn't make sense
.

Canada wants to be seen as nobody cares about them. Ignore.
US.de loaded for me, but very slowly. I was still able to do everything I normally could but slowpoke. It's weird how people want to ruin a community full of kids which probably don't even care as long as the game works.
Sad.
@
oxytamine: Great idea. Thanks.

This made me lol so bad.
So what if it's Canadian? It could have been an Arabian IP.
Ahmad has written:
Because this ip is Canadian,it doesn't make sense
So what if it's Canadian? It could have been an Arabian IP.

SMB attacks could be easily blocked by this.
Since they all use same port. Also, let's limit connections to port 80, DDoS'ing this port is the most common attack since kids often use pre-compiled scripts/programs which flood port 80.
That's what I'm talking about - it will reject all the connections from specific IP if limit is reached (in this case limit is 20, I set 40).
Code:
1
2
2
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP
Since they all use same port. Also, let's limit connections to port 80, DDoS'ing this port is the most common attack since kids often use pre-compiled scripts/programs which flood port 80.
Code:
1
-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
That's what I'm talking about - it will reject all the connections from specific IP if limit is reached (in this case limit is 20, I set 40).
DC have you confirmed that the attacker had only 1 IP? These solutions are good but are only towards dos.

So what if it's Canadian? It could have been an Arabian IP.
Or it could have been you posting gayporn everywhere.
Owait. Did I just? Yea.. I did, screw you.

These solutions are good but are only towards dos.
That's one thing fixed then. Would you protect something against all attacks yet must wait for an actual solution. Or would you protect it from one attack right away!? Seriously dude, your posts are getting more and more useless.

That's one thing fixed then. Would you protect something against all attacks yet must wait for an actual solution. Or would you protect it from one attack right away!? Seriously dude, your posts are getting more and more useless.
I once told him that he is talking non-sense, but he did not listen.

Fucking retarded kids, I hope they burn in hell.
I'll never seem to understand sense of attacking a simple forum. DDoS attacks could be useful when you're making business (I once DDoS'ed e-Quality to death for a couple of hours, I lol'd), but it's completely useless when it turns out that you do not profit from DDoS'ing.
edited 1×, last 23.06.12 10:59:30 pm

Or it could have been you posting gayporn everywhere.
Owait. Did I just? Yea.. I did, screw you.
Owait. Did I just? Yea.. I did, screw you.
Hmm.. you seem to have a wild imagination. Stupid much? You're screwing yourself.
