hacking problems, smc staff alert

Animes · August 16, 2005, 01:54:29 AM

Hi guys

I am having problems a with hacker, I have like 15 or more days being attacked by some stupid hacker, I am very sure that he is using some kind of script that can get free ips each day or maybe is a virus that is infecting new server every day, the guy just load the index.php page 100 times per second or more with at least 2 o 3 different ips resulting in a total overload of the server and I cant even get control until I reset and delete or rename the index.php page then the server recovers all their functions, but of course leaves my SMF forum totally unavaliable.

I even have a program that checks every 3 minutes if I am having more than 40 connections from the same ip and then it tells to my firewall to ban him, but the problem is that this guy attack each 5 o 6 hours, seems that is what it takes to him to get new ips, I am very sure that he is using a script or a virus cause the ips comes from any kind of servers and service providers also if he would have to reach ips manually or attack manually he would quit a week ago, I hope someone knows what this guy is using and if smc staff can help, my fear is that if that virus or script start to spread soon all the SMF forums will get attacked.

hope you can help me

Fizzy · August 16, 2005, 02:21:03 AM

He could be using an anonymizer or a list of proxy IP's

Deny him access using .htaccess or redirect his attacks back towards his own IP number.

Animes · August 16, 2005, 04:16:01 AM

I cant ban all ips that he uses manually, right know the program that bans ips haves like 50 in the registry and each day bans more, attacking back to other servers would make me more problems if those servers thinks that I am an attacker.

Fizzy · August 16, 2005, 08:14:08 AM

Then you might like to consider something like this

http://www.cert.org/tech_tips/denial_of_service.html#4

Can you reduce the flood parameter of 3 minutes to a lower figure? That seems an awful long time to recognise and ban a nuke attack.

At the rate of 100 times per second I would only allow a single second before denying access. I don;t know of any legitimate resource that would draw on 100 hits per second. If he only manages to disrupt the server for a single second every 5 hours, that wouldn;t be so bad.

Animes · August 16, 2005, 10:04:54 PM

<Limit GET POST PUT DELETE>
order deny
deny from 207.218.223.130
deny from 148.221.238.39
deny from 202.101.47.20
deny from 217.115.140.12
deny from 217.172.186.182
deny from 200.31.79.70
deny from 201.240.78.35
deny from 80.67.17.8
deny from 70.84.80.194
deny from 140.129.142.215
deny from 66.152.98.52
deny from 200.29.21.2
deny from 212.227.83.214
deny from 148.233.10.12
deny from 148.221.238.143
deny from 212.50.192.202
deny from 201.144.61.227
deny from 148.241.2.17
deny from 169.252.4.21
deny from 200.104.192.164
deny from 24.211.225.41
deny from 216.193.201.57
deny from 201.230.37.166
deny from 82.128.195.223
deny from 201.133.56.172
deny from 201.128.218.105
deny from 61.222.7.56
deny from 61.219.155.137
deny from 211.72.213.93
deny from 61.222.152.42
deny from 82.103.129.176
deny from 69.72.193.10
deny from 202.94.33.62
deny from 216.229.180.19
deny from 216.32.64.6
deny from 211.23.199.177
deny from 211.23.199.177
deny from 66.152.98.54
deny from 66.152.98.51
deny from 66.73.49.13
deny from 66.225.202.243
deny from 62.73.58.153
deny from 80.231.1.186
deny from 66.152.98.53
deny from 72.36.158.242
deny from 70.84.223.130
deny from 213.239.197.243
deny from 192.100.180.250
deny from 216.193.201.57
deny from 201.230.37.166
deny from 82.128.195.223
deny from 201.133.56.172
deny from 201.128.218.105
deny from 61.222.7.56
deny from 61.219.155.137
deny from 211.72.213.93
deny from 61.222.152.42
deny from 82.103.129.176
deny from 69.72.193.10
deny from 202.94.33.62
deny from 216.229.180.19
deny from 216.32.64.6
deny from 211.23.199.177
deny from 66.152.98.54
deny from 66.152.98.51
deny from 66.73.49.13
deny from 66.225.202.243
deny from 62.73.58.153
deny from 80.231.1.186
deny from 66.152.98.53
deny from 72.36.158.242
deny from 70.84.223.130
deny from 213.239.197.243
deny from 192.100.180.250
deny from 64.191.63.197
deny from 69.60.120.4
deny from 62.73.58.152
deny from 69.60.120.3
deny from 217.67.233.247
deny from 216.32.64.5
deny from 200.27.183.170
deny from 201.133.130.83
allow from all
</Limit>

when I put this I cant access any part of the website, what is wrong?

if you know how to stop this please help me

NoRad · August 16, 2005, 11:01:31 PM

I use a professional grade hardware firewall in front of my servers in the colo room to stop attacks like this. Are you on a shared server or do you manage your own setup?

Animes · August 16, 2005, 11:13:38 PM

I have a colocation server

NoRad · August 17, 2005, 04:38:04 PM

Well, a good firewall should detect the DOS attempt and block it. http://www.pfsense.com/

News:

hacking problems, smc staff alert