Last Sunday morning when i checked mails found may emails saying forums hosted under www.phpbbweb.com are down. I checked and found the sites are not accessible. On checking server, there is lot of request to one web site. Requests are like
84.236.177.78 - - [08/Jun/2008:15:07:18 +0000] "GET / HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible)" 84.236.177.78 - - [08/Jun/2008:15:07:18 +0000] "GET / HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible)" 195.210.194.68 - - [08/Jun/2008:15:07:18 +0000] "GET / HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible)" 84.236.177.78 - - [08/Jun/2008:15:07:18 +0000] "GET / HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible)" 78.22.3.124 - - [08/Jun/2008:15:07:18 +0000] "GET / HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible)"
I tried to block the IP’s with firewall. But can’t do it because there are too many IP’s. I never faced such a DDoS, most case, Data Center have DDoS protection and will prevent such attack. This server is in LayeredTech, it seems they don’t have the facility to stop DDoS attack.
It seems the attacker have lot of infected computers all over the world to waiting for his command.
I keep the apache stopped for some time, then tried to change IP of the web site to a new one, it worked for some time, then the attack started coming to new IP address.
Looking at MySQL usage i found which site is getting attack. So i changes A record for that sub domain to 127.0.0.1 and it stopped the attack. Rest of the sites starting to work properly.
I got a mail from hacker saying
if you want the http flood to stop, remove sswatch.phpbbweb.com & do not give them a backup
I do not reply to him. I want to see if he attack again, so made the site online, but this time, i setup lighttpd in proxy mode on a different server that i do not use (a canceled server with all sites moved out). After few hours, he started attacking on new server, i just disable the proxy so attack will not send to real server, i tried to stop the attack, later found it is impossible to block all these IPs.
I keep the ligttpd on with a simple html page, it won’t case any server load as it is lighttpd and the page is static with few bytes of content.
After some hours, server was not reachable for some time, so i checked bandwidth usage, the incoming attack was above 5 Mbps.
Then i stopped playing with the attack by pointing the IP of the site to 127.0.0.1 and taking the IP that get attack down with
ifdown eth0:1
So the attacker wins with his bots.
To kill his bots, some one need to find one of his bot, find out how it connect to master and kill the master, mostly it will be connecting to an IP owned by the attacker.
Some one should take efforts to stop spreading the bots and using them to attack web sites.