Need help badly with dDos attack

New Member Joined: Aug 30, 2004 Posts: 3

Hello, I was wondering if anyone could help me with something, I’m having this problem with my server since last one month

The problem is it gets attacked on port 80 may be with some kind of DoS attack, with thousand or hundred of spoofed IP’s and around 500 hits per second, apache starts taking too much resources and it takes the box down and so is mysql coz the site is database driven site running on phpnuke, it happens only with one of my site if I close that site , it gets ok.

The apache error log flood with these entries

[Thu Aug 19 13:39:31 2004] [error] [client 64.83.77.78] (13)Permission denied: access to / failed because search permissions are missing on a component of the path

[Thu Aug 19 13:39:31 2004] [error] [client 64.83.77.78] (13)Permission denied: access to / failed because search permissions are missing on a component of the path

[Thu Aug 19 13:39:31 2004] [error] [client 200.56.224.5] (13)Permission denied: access to / failed because search permissions are missing on a component of the path

[Thu Aug 19 13:39:31 2004] [error] [client 200.56.224.5] (13)Permission denied: access to / failed because search permissions are missing on a component of the path

[Thu Aug 19 13:39:32 2004] [error] [client 200.57.151.145] (13)Permission denied: access to / failed because search permissions are missing on a component of the path

Or the access log like this

203.41.31.251 - - [01/Sep/2004:10:39:52 -0500] "GET / HTTP/1.1" 302 5 "-"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b; MultiZilla v1.5.0.2g)
Gecko/20030827"

194.29.202.243 - - [01/Sep/2004:10:39:52 -0500] "GET / HTTP/1.1" 302 5 "-"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b; MultiZilla v1.5.0.2g)
Gecko/20030827"

217.160.206.25 - - [01/Sep/2004:10:39:53 -0500] "GET / HTTP/1.1" 302 5 "-"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b; MultiZilla v1.5.0.2g)
Gecko/20030827"

210.21.203.229 - - [01/Sep/2004:10:39:53 -0500] "GET / HTTP/1.1" 302 5 "-"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b; MultiZilla v1.5.0.2g)
Gecko/20030827"

I thought my dedicated server is not capable of managing these kind of attacks as I’m not an expert server administrator, I tried to change hosting to z3.com’s server, but it happened on the first day and they had to suspend my account then again I tried webhostfreaks.com and they even couldn’t manage it and suspended the account, now I don’t have a clue what to do just trying to find some expert linux guru to solve this problem, though the guys from webhostfreaks told me no guru can defend this kind of attack but I guess its not the end of the world there must be some cure for this.

and now the attacks are even faster, if they start they take the box down in 2 or 3 minutes and load average goes upto 150, i tried mod_rewrite to redirect those attacks didnt work, i tried mod_dosevasive it wast effective either, anyone have a clue what could be the solution for this ? i'm even ready to pay for the support if anyone gonna help me with this