0

My server is under attack!

When I use netstat -anp | grep :80 I get the following listing:

tcp        0      0 162.167.98.11:80        5.189.156.224:58211     SYN_RECV    -
tcp        0      0 162.167.98.11:80        5.189.156.224:39608     SYN_RECV    -
tcp        0      0 162.167.98.11:80        5.189.156.224:33261     SYN_RECV    -
tcp        0      0 162.167.98.11:80        5.189.156.224:56951     SYN_RECV    -

There are tens of lines like this.

Please help me to understand this listing and how can I protect the server against this IP that is making a huge amount of requests. I'm using fail2ban that is configured against DDOS attacks but it looks that I'm missing something.

The server is a virtual machine running Ubuntu 12.04

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
Victor
  • 581
  • 6
  • 15

2 Answers2

1

Fail2ban would react only to clients that generate some kind of error.

This might by a Slowloris attack. It works by opening a connection and trying to keep it open as long as possible by constantly adding something to the request. Then additional such connections are being opened and kept open.

So the possible solutions are about limiting the open connections per client.

This can be done with iptables directly as mentioned here or by using appropriate apache modules (if this is your webserver anyway).

One explicitly being designed for this purpose is mod_antiloris, another one that is more configurable is mod_qos.

Community
  • 1
  • 1
nlu
  • 1,903
  • 14
  • 18
0

Finally I manage to stop the attack by following this tutorial for server security: https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics#comment-1091

Victor
  • 581
  • 6
  • 15