6

massive DDoS .. need advice / help

view full story
linux-howto

http://www.linuxquestions.org – Hi, My website is being abused and thrown at a massive DDoS attack. The attack is simple, SYN + http flood. Here is a sample of it, Code: Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Host: 85.100.227.159 Http Code: 200        Date: Mar 14 05:08:28        Http Version: HTTP/1.1        Size in Bytes: 3174 Agent: Opera/9.02 (Windows NT 5.1; U; ru) Hosts are random, but all the agents have 1 thing in common, the word ru and rv. It seems like a botnet, I see around 20,000 syn connections in netstat. I have tried, floodmon, apf and all sort of iptables magics, none of them are working. I even have tried in Firebox x550e hardware device, that even goes to it's knees. Traffic volume is around 20Mbps not that much. What I am doing right now is taking each IP from apache access_log and netstat output and using iptables to block it, but that also not helping out. apf also not helping at all. Seems like someone is having fun with PitBull Bot V5 PRiVaTE Sh3llBoT or something similar. Would love to hear from your experiences, help ... anything .. m stuck ... Goni (HowTos)