how to prevent a mild DOSS attack?

hi guys,
this morning I got complains from website owner and tons of visitors -
nobody was able to access the website. it will just timeout.
I contacted hosting company for more info but they said the virtual
privet server, where the website is, has a lot of traffic and 512MB of
RAM is not enough and I have to make an upgrade to at least 1GB etc.
it does a make a sense.
though, at 4pm I, nor 10 other people I asked for help, was able to
access to the website.
it was a little bit fishy about BIG traffic whole day long (the website
is far from it) and, since I don't have a problem accessing WHM/cPanel
of the server, I downloaded apache access file (stupid, I supposed to do
it in the morning) and found 20-30 IP addresses, repeatedly were trying
to access one (only one) page (something like article.php). and they
were requesting the same page so frequently - nobody else was able to
access to the website. it looked to me like a little DOSS attack - where
attacker wanted just to make the website busy, not to crush the server.
I contacted hosting company again. they said there is nothing they can
do about this- even I'm paying them to manage my virtual server (I can
manage this way by my self too). of course they can if I pay extra :-(

now, my question is: is there anything I can do to stop these attacks
using php? something? anything?

thanks
L

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: how to prevent a mild DOSS attack?

--=-6iGD0LxzPCNjQURY9aMN
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:

> hi guys,
> this morning I got complains from website owner and tons of visitors -
> nobody was able to access the website. it will just timeout.
> I contacted hosting company for more info but they said the virtual
> privet server, where the website is, has a lot of traffic and 512MB of
> RAM is not enough and I have to make an upgrade to at least 1GB etc.
> it does a make a sense.
> though, at 4pm I, nor 10 other people I asked for help, was able to
> access to the website.
> it was a little bit fishy about BIG traffic whole day long (the website
> is far from it) and, since I don't have a problem accessing WHM/cPanel
> of the server, I downloaded apache access file (stupid, I supposed to do
> it in the morning) and found 20-30 IP addresses, repeatedly were trying
> to access one (only one) page (something like article.php). and they
> were requesting the same page so frequently - nobody else was able to
> access to the website. it looked to me like a little DOSS attack - where
> attacker wanted just to make the website busy, not to crush the server.
> I contacted hosting company again. they said there is nothing they can
> do about this- even I'm paying them to manage my virtual server (I can
> manage this way by my self too). of course they can if I pay extra :-(
>
> now, my question is: is there anything I can do to stop these attacks
> using php? something? anything?
>
> thanks
> L
>


There's nothing you could do with PHP to fix this really, as trying to
block IP addresses from there would be expensive for the processor and
memory of the server.

You could use the cPanel to block access to the offending IP addresses
though.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-6iGD0LxzPCNjQURY9aMN--

Re: how to prevent a mild DOSS attack?

Or DoS back at em. :-D

On Wed, Nov 25, 2009 at 3:57 PM, Ashley Sheridan
wrote:
> On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:
>
>> hi guys,
>> this morning I got complains from website owner and tons of visitors -
>> nobody was able to access the website. it will just timeout.
>> I contacted hosting company  for more info but they said the virtua=
l
>> privet server, where the website is, has a lot of traffic and 512MB of
>> RAM is not enough and I have to make an upgrade to at least 1GB etc.
>> it does a make a sense.
>> though, at 4pm I, nor 10 other people I asked for help, was able to
>> access to the website.
>> it was a little bit fishy about BIG traffic whole day long (the website
>> is far from it) and, since I don't have a problem accessing WHM/cPanel
>> of the server, I downloaded apache access file (stupid, I supposed to do
>> it in the morning) and found 20-30 IP addresses, repeatedly were trying
>> to access one (only one) page (something like article.php). and they
>> were requesting the same page so frequently - nobody else was able to
>> access to the website. it looked to me like a little DOSS attack - where
>> attacker wanted just to make the website busy, not to crush the server.
>> I contacted hosting company again. they said there is nothing they can
>> do about this-  even I'm paying them to manage my virtual server (I=
can
>> manage this way by my self too). of course they can if I pay extra :-(
>>
>> now, my question is: is there anything I can do to stop these attacks
>> using php? something? anything?
>>
>> thanks
>> L
>>
>
>
> There's nothing you could do with PHP to fix this really, as trying to
> block IP addresses from there would be expensive for the processor and
> memory of the server.
>
> You could use the cPanel to block access to the offending IP addresses
> though.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: how to prevent a mild DOSS attack?

On Wed, Nov 25, 2009 at 3:57 PM, Ashley Sheridan
wrote:
> On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:
>
>> hi guys,
>> this morning I got complains from website owner and tons of visitors -
>> nobody was able to access the website. it will just timeout.
>> I contacted hosting company  for more info but they said the virtua=
l
>> privet server, where the website is, has a lot of traffic and 512MB of
>> RAM is not enough and I have to make an upgrade to at least 1GB etc.
>> it does a make a sense.
>> though, at 4pm I, nor 10 other people I asked for help, was able to
>> access to the website.
>> it was a little bit fishy about BIG traffic whole day long (the website
>> is far from it) and, since I don't have a problem accessing WHM/cPanel
>> of the server, I downloaded apache access file (stupid, I supposed to do
>> it in the morning) and found 20-30 IP addresses, repeatedly were trying
>> to access one (only one) page (something like article.php). and they
>> were requesting the same page so frequently - nobody else was able to
>> access to the website. it looked to me like a little DOSS attack - where
>> attacker wanted just to make the website busy, not to crush the server.
>> I contacted hosting company again. they said there is nothing they can
>> do about this-  even I'm paying them to manage my virtual server (I=
can
>> manage this way by my self too). of course they can if I pay extra :-(
>>
>> now, my question is: is there anything I can do to stop these attacks
>> using php? something? anything?
>>
>> thanks
>> L
>>
>
>
> There's nothing you could do with PHP to fix this really, as trying to
> block IP addresses from there would be expensive for the processor and
> memory of the server.
>
> You could use the cPanel to block access to the offending IP addresses
> though.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>

Ok... serious answer. The DoS is either coming from script kiddies
dumb enough to do it from their own IP, or its coming from a bot-net
comprised of computers who's owners are morons and don't keep their
computer secure. Either way, do a WHOIS, reverse DNS query, and
traceroute on the IPs. You should be able to find the ISPs of the
attacking systems. Email the ISP tech department with your info and
let them take care of the offending systems.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: how to prevent a mild DOSS attack?

LinuxManMikeC wrote:
> Or DoS back at em. :-D
>
I would love too.
:-)




> On Wed, Nov 25, 2009 at 3:57 PM, Ashley Sheridan
> wrote:
>
>> On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:
>>
>>
>>> hi guys,
>>> this morning I got complains from website owner and tons of visitors -
>>> nobody was able to access the website. it will just timeout.
>>> I contacted hosting company for more info but they said the virtual
>>> privet server, where the website is, has a lot of traffic and 512MB of
>>> RAM is not enough and I have to make an upgrade to at least 1GB etc.
>>> it does a make a sense.
>>> though, at 4pm I, nor 10 other people I asked for help, was able to
>>> access to the website.
>>> it was a little bit fishy about BIG traffic whole day long (the website
>>> is far from it) and, since I don't have a problem accessing WHM/cPanel
>>> of the server, I downloaded apache access file (stupid, I supposed to do
>>> it in the morning) and found 20-30 IP addresses, repeatedly were trying
>>> to access one (only one) page (something like article.php). and they
>>> were requesting the same page so frequently - nobody else was able to
>>> access to the website. it looked to me like a little DOSS attack - where
>>> attacker wanted just to make the website busy, not to crush the server.
>>> I contacted hosting company again. they said there is nothing they can
>>> do about this- even I'm paying them to manage my virtual server (I can
>>> manage this way by my self too). of course they can if I pay extra :-(
>>>
>>> now, my question is: is there anything I can do to stop these attacks
>>> using php? something? anything?
>>>
>>> thanks
>>> L
>>>
>>>
>> There's nothing you could do with PHP to fix this really, as trying to
>> block IP addresses from there would be expensive for the processor and
>> memory of the server.
>>
>> You could use the cPanel to block access to the offending IP addresses
>> though.
>>
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>>
>>
>>
>>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: how to prevent a mild DOSS attack?

--------------070808020604000208060403
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

LinuxManMikeC wrote:
> On Wed, Nov 25, 2009 at 3:57 PM, Ashley Sheridan
> wrote:
>
>> On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:
>>
>>
>>> hi guys,
>>> this morning I got complains from website owner and tons of visitors -
>>> nobody was able to access the website. it will just timeout.
>>> I contacted hosting company for more info but they said the virtual
>>> privet server, where the website is, has a lot of traffic and 512MB of
>>> RAM is not enough and I have to make an upgrade to at least 1GB etc.
>>> it does a make a sense.
>>> though, at 4pm I, nor 10 other people I asked for help, was able to
>>> access to the website.
>>> it was a little bit fishy about BIG traffic whole day long (the website
>>> is far from it) and, since I don't have a problem accessing WHM/cPanel
>>> of the server, I downloaded apache access file (stupid, I supposed to do
>>> it in the morning) and found 20-30 IP addresses, repeatedly were trying
>>> to access one (only one) page (something like article.php). and they
>>> were requesting the same page so frequently - nobody else was able to
>>> access to the website. it looked to me like a little DOSS attack - where
>>> attacker wanted just to make the website busy, not to crush the server.
>>> I contacted hosting company again. they said there is nothing they can
>>> do about this- even I'm paying them to manage my virtual server (I can
>>> manage this way by my self too). of course they can if I pay extra :-(
>>>
>>> now, my question is: is there anything I can do to stop these attacks
>>> using php? something? anything?
>>>
>>> thanks
>>> L
>>>
>>>
>> There's nothing you could do with PHP to fix this really, as trying to
>> block IP addresses from there would be expensive for the processor and
>> memory of the server.
>>
>> You could use the cPanel to block access to the offending IP addresses
>> though.
>>
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>>
>>
>>
>>
>
> Ok... serious answer. The DoS is either coming from script kiddies
> dumb enough to do it from their own IP, or its coming from a bot-net
> comprised of computers who's owners are morons and don't keep their
> computer secure. Either way, do a WHOIS, reverse DNS query, and
> traceroute on the IPs. You should be able to find the ISPs of the
> attacking systems. Email the ISP tech department with your info and
> let them take care of the offending systems.
>
In my case, on the beginning was 20-30 different IPs. After they are
blocked there was much more IPs :-(
But, never was thinking that way.
What I have to send to ISP? my access log file?




--------------070808020604000208060403--

Re: how to prevent a mild DOSS attack?

On Nov 28, 2009, at 9:24 AM, LAMP wrote:

> LinuxManMikeC wrote:
>> On Wed, Nov 25, 2009 at 3:57 PM, Ashley Sheridan
>> wrote:
>>
>>> On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:
>>>
>>>
>>>> hi guys,
>>>> this morning I got complains from website owner and tons of
>>>> visitors -
>>>> nobody was able to access the website. it will just timeout.
>>>> I contacted hosting company for more info but they said the
>>>> virtual
>>>> privet server, where the website is, has a lot of traffic and
>>>> 512MB of
>>>> RAM is not enough and I have to make an upgrade to at least 1GB
>>>> etc.
>>>> it does a make a sense.
>>>> though, at 4pm I, nor 10 other people I asked for help, was able to
>>>> access to the website.
>>>> it was a little bit fishy about BIG traffic whole day long (the
>>>> website
>>>> is far from it) and, since I don't have a problem accessing WHM/
>>>> cPanel
>>>> of the server, I downloaded apache access file (stupid, I
>>>> supposed to do
>>>> it in the morning) and found 20-30 IP addresses, repeatedly were
>>>> trying
>>>> to access one (only one) page (something like article.php). and
>>>> they
>>>> were requesting the same page so frequently - nobody else was
>>>> able to
>>>> access to the website. it looked to me like a little DOSS attack
>>>> - where
>>>> attacker wanted just to make the website busy, not to crush the
>>>> server.
>>>> I contacted hosting company again. they said there is nothing
>>>> they can
>>>> do about this- even I'm paying them to manage my virtual server
>>>> (I can
>>>> manage this way by my self too). of course they can if I pay
>>>> extra :-(
>>>>
>>>> now, my question is: is there anything I can do to stop these
>>>> attacks
>>>> using php? something? anything?
>>>>
>>>> thanks
>>>> L
>>>>
>>>>
>>> There's nothing you could do with PHP to fix this really, as
>>> trying to
>>> block IP addresses from there would be expensive for the processor
>>> and
>>> memory of the server.
>>>
>>> You could use the cPanel to block access to the offending IP
>>> addresses
>>> though.
>>>
>>> Thanks,
>>> Ash
>>> http://www.ashleysheridan.co.uk
>>>
>>>
>>>
>>>
>>
>> Ok... serious answer. The DoS is either coming from script kiddies
>> dumb enough to do it from their own IP, or its coming from a bot-net
>> comprised of computers who's owners are morons and don't keep their
>> computer secure. Either way, do a WHOIS, reverse DNS query, and
>> traceroute on the IPs. You should be able to find the ISPs of the
>> attacking systems. Email the ISP tech department with your info and
>> let them take care of the offending systems.
>>
> In my case, on the beginning was 20-30 different IPs. After they are
> blocked there was much more IPs :-(
> But, never was thinking that way.
> What I have to send to ISP? my access log file?
>
>


You can try http://deflate.medialayer.com

- aurf

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: how to prevent a mild DOSS attack?

On Sat, Nov 28, 2009 at 10:24 AM, LAMP wrote:
> LinuxManMikeC wrote:
>
> On Wed, Nov 25, 2009 at 3:57 PM, Ashley Sheridan
> wrote:
>
>
> On Wed, 2009-11-25 at 16:38 -0600, LAMP wrote:
>
>
>
> hi guys,
> this morning I got complains from website owner and tons of visitors -
> nobody was able to access the website. it will just timeout.
> I contacted hosting company  for more info but they said the virtual
> privet server, where the website is, has a lot of traffic and 512MB of
> RAM is not enough and I have to make an upgrade to at least 1GB etc.
> it does a make a sense.
> though, at 4pm I, nor 10 other people I asked for help, was able to
> access to the website.
> it was a little bit fishy about BIG traffic whole day long (the website
> is far from it) and, since I don't have a problem accessing WHM/cPanel
> of the server, I downloaded apache access file (stupid, I supposed to do
> it in the morning) and found 20-30 IP addresses, repeatedly were trying
> to access one (only one) page (something like article.php). and they
> were requesting the same page so frequently - nobody else was able to
> access to the website. it looked to me like a little DOSS attack - where
> attacker wanted just to make the website busy, not to crush the server.
> I contacted hosting company again. they said there is nothing they can
> do about this-  even I'm paying them to manage my virtual server (I =
can
> manage this way by my self too). of course they can if I pay extra :-(
>
> now, my question is: is there anything I can do to stop these attacks
> using php? something? anything?
>
> thanks
> L
>
>
>
> There's nothing you could do with PHP to fix this really, as trying to
> block IP addresses from there would be expensive for the processor and
> memory of the server.
>
> You could use the cPanel to block access to the offending IP addresses
> though.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
>
> Ok... serious answer. The DoS is either coming from script kiddies
> dumb enough to do it from their own IP, or its coming from a bot-net
> comprised of computers who's owners are morons and don't keep their
> computer secure. Either way, do a WHOIS, reverse DNS query, and
> traceroute on the IPs. You should be able to find the ISPs of the
> attacking systems. Email the ISP tech department with your info and
> let them take care of the offending systems.
>
>
> In my case, on the beginning was 20-30 different IPs. After they are bloc=
ked
> there was much more IPs :-(
> But, never was thinking that way.
> What I have to send to ISP?  my access log file?
>
>
>
>

Just the IP and access times so they can match it to their logs from
the same timeframe. Basically filter the pertinent entries from the
log file, don't have to give them the whole thing. They can match it
to the DHCP or Static IP assignments, possibly even have some traffic
patterns logged. As to whether they'll do anything, thats another
matter. And since so many IPs were hitting you it's probably a botnet
and the users in question aren't the attackers.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php