1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to tell if your under DDOS attack?

Discussion in 'Server Configuration and Hosting' started by NeoCHI, Jul 12, 2014.

  1. NeoCHI

    NeoCHI Active Member

    I'm very inexperienced with serverside stuff but have noticed my dedicated server gets slammed on a daily basis:

    http://xenforo.com/community/threads/help-optimizing-mysql-high-server-load.75790/
    http://xenforo.com/community/threads/consistent-deadlock.77605

    Here's my server specs:
    • Intel Xeon Quad Core, 2.5GHz (8 threads)
    • 250 Mbps Uplink
    • 4 GB High Performance RAM
    • 1,000 GB RAID-1 Drives
    • 15 TB Bandwidth
    I usually have around 1k users online.

    The only reason that I suspect I'm under attack (other then the slowdowns) is that I see the following:

    Code:
    193.107.16.2069 failed login attempts to account root (system) -- Large number of attempts from this IP: 193.107.16.2062014-07-11 13:19:232014-07-25 13:19:23
     95.6.72.1524 failed login attempts to account web (system) -- Large number of attempts from this IP: 95.6.72.1522014-07-11 11:26:432014-07-25 11:26:43
     180.106.162.774 failed login attempts to account appinvasion (system) -- Large number of attempts from this IP: 180.106.162.772014-07-11 06:13:012014-07-25 06:13:01
     112.162.67.2413 failed login attempts to account Administrator@appinvasion.com (ftp) -- Large number of attempts from this IP: 112.162.67.2412014-07-11 04:35:362014-07-25 04:35:36
     37.159.188.903 failed login attempts to account zb (smtp) -- Large number of attempts from this IP: 37.159.188.902014-07-11 03:01:362014-07-25 03:01:36
     188.85.36.463 failed login attempts to account utilisateur (smtp) -- Large number of attempts from this IP: 188.85.36.462014-07-11 02:21:302014-07-25 02:21:30
     118.97.191.1564 failed login attempts to account usuario (smtp) -- Large number of attempts from this IP: 118.97.191.1562014-07-11 02:12:192014-07-25 02:12:19
     180.250.80.2373 failed login attempts to account trisha (smtp) -- Large number of attempts from this IP: 180.250.80.2372014-07-11 02:02:332014-07-25 02:02:33
     212.174.252.1303 failed login attempts to account testen (smtp) -- Large number of attempts from this IP: 212.174.252.1302014-07-11 01:43:332014-07-25 01:43:33
     46.171.143.943 failed login attempts to account tech (smtp) -- Large number of attempts from this IP: 46.171.143.942014-07-11 01:24:052014-07-25 01:24:05
     162.255.182.2013 failed login attempts to account ftpuser (system) -- Large number of attempts from this IP: 162.255.182.2012014-07-11 01:05:482014-07-25 01:05:48
     111.74.238.993 failed login attempts to account root (system) -- Large number of attempts from this IP: 111.74.238.992014-07-11 00:56:432014-07-25 00:56:43
     196.28.31.2454 failed login attempts to account stephanie (smtp) -- Large number of attempts from this IP: 196.28.31.2452014-07-11 00:55:132014-07-25 00:55:13
     105.236.161.1114 failed login attempts to account stephanie (smtp) -- Large number of attempts from this IP: 105.236.161.1112014-07-11 00:54:562014-07-25 00:54:56
     117.21.226.2063 failed login attempts to account root (system) -- Large number of attempts from this IP: 117.21.226.2062014-07-11 00:50:512014-07-25 00:50:51
     180.166.96.384 failed login attempts to account sophie (smtp) -- Large number of attempts from this IP: 180.166.96.382014-07-11 00:35:362014-07-25 00:35:36
     89.216.21.1363 failed login attempts to account sophie (smtp) -- Large number of attempts from this IP: 89.216.21.1362014-07-11 00:35:012014-07-25 00:35:01
     117.21.225.583 failed login attempts to account root (system) -- Large number of attempts from this IP: 117.21.225.582014-07-11 00:27:292014-07-25 00:27:29
     117.21.226.693 failed login attempts to account root (system) -- Large number of attempts from this IP: 117.21.226.692014-07-10 23:46:482014-07-24 23:46:48
     202.109.143.183 failed login attempts to account root (system) -- Large number of attempts from this IP: 202.109.143.182014-07-10 23:44:582014-07-24 23:44:58
    .
    .
    .
    
    within login/brute history report in cphulk brute force protection in my whm.Am I under attack?

    If so, what should I do (please give simple instructions, I'm not very server saavy)?
     
  2. The Forum Heroes

    The Forum Heroes Well-Known Member

    Looks like a brute attack from the above log. Between cPHulk and enabling CSF firewall, it should ban all large failed login attempts
     
  3. NeoCHI

    NeoCHI Active Member

    How would I know if I'm under ddos attack?

    Do I have to worry about brute force?
     
  4. DaveM

    DaveM Well-Known Member

  5. NeoCHI

    NeoCHI Active Member

  6. DaveM

    DaveM Well-Known Member

  7. Walter

    Walter Well-Known Member

    If you would face a DDOS, your site would be down, it's as simple as that.

    What you see in the logs is not a DDOS attack but automated scripts trying to login to your system. This is common since since ten years. Enable CSF as a first step as you have been told, learn to harden your system or talk to a server expert.
     
  8. NeoCHI

    NeoCHI Active Member

    My site doesn't go down but it does hit major slowdowns from unknown reason.

    So how exactly do you tell if your under DDOS attack?

    Also, how would I go about finding a server expert?
     
  9. Tracy Perry

    Tracy Perry Well-Known Member

  10. WSWD

    WSWD Well-Known Member

    No...your site would not necessarily be down from a DDoS attack. Small scale ones will do absolutely nothing. Really good servers/connections can even handle some of the moderate ones. Normally takes a pretty good size attack to shut a site down completely. Slowdowns are a definite possibility though. What you are seeing in that log, as has been mentioned, is some form of brute force/dictionary attack, attempting to discover the root password for your system. Assuming you have taken the appropriate security precautions, they are nothing to worry about, as those IPs will simply be blocked. Happens probably billions of times a day to servers on the Internet.

    The slow downs could be from anything. You should be able to view your bandwidth usage, to get an idea of whether or not you are experiencing a DDoS attack. Here's what one small scale one looked like a couple weeks ago on one of our servers:

    ddos.png

    You can easily see the incoming vs. the outgoing bandwidth. Was getting 250-300mbps inbound traffic from thousands of computers/servers around the world. You would very likely see something similar. You can also use iftop and iptraf to see the inbound connections to your server. Those two tools are VERY helpful when it comes to identifying and mitigating DDoS attacks.

    Aside from that, the slowdowns could be absolutely anything. Have you tried running top when the slowdowns occur? If not, I suggest you do that and post the results here.
     
  11. erich37

    erich37 Well-Known Member

Share This Page