Giúp mình chặn DDOS website với [Archive]

haiduongbk

11-04-2011, 10:56

Hiện forum windowsz.net mình đang bị tấn công rất nặng bởi DDOS.
mình sử dụng VPS để quản lý:
Các bạn xem và giúp mình hướng giải quyết với:
Log file của mình: http://www.mediafire.com/file/58npqh2d0hlgpq4/access%20log.txt
SSH command :
netstat -an |grep ":80" |awk '{print $5}' | sed s/::ffff://g | cut -d: -f1 |sort |uniq -c |sort -n | tail -1000 | grep -v "0.0.0.0"
Và nó cũng chỉ được hiển thị với các kết nối dưới 60 trên 1 IP

1 113.167.225.190
1 118.68.206.178
1 119.38.217.241
1 119.38.217.245
1 123.194.40.64
1 164.78.248.57
1 173.203.109.204
1 173.54.230.234
1 184.106.213.19
1 202.171.253.70
1 202.171.253.71
1 202.181.174.252
1 211.139.10.183
1 213.186.218.13
1 213.186.218.14
1 222.122.206.20
1 24.161.69.94
1 66.195.148.37
1 68.51.153.146
1 74.63.197.117
1 78.188.37.122
1 87.244.213.3
1 89.253.113.228
1 93.125.74.172
2 115.78.224.215
2 115.78.227.155
2 122.226.143.230
2 123.21.232.251
2 123.24.17.101
2 173.203.243.13
2 184.106.213.192
2 189.80.247.178
2 200.111.101.246
2 200.165.107.34
2 201.245.181.15
2 201.245.181.158
2 202.149.24.193
2 208.110.220.133
2 209.221.131.75
2 213.0.89.52
2 221.214.7.130
2 222.162.105.110
2 24.217.98.225
2 67.249.168.198
2 72.52.126.3
2 75.32.99.16
2 96.19.176.228
3 118.97.32.12
3 123.242.172.4
3 124.193.109.9
3 190.172.141.12
3 201.217.54.32
3 202.186.124.14
3 210.51.38.124
3 213.186.218.130
3 216.157.222.2
3 24.139.43.249
3 58.211.237.132
3 61.164.40.151
3 66.183.102.2
3 68.150.39.237
3 71.60.214.250
3 79.172.26.78
3 79.175.41.110
3 84.72.71.92
3 85.25.132.122
3 93.167.194.251
4 123.125.156.82
4 160.79.35.17
4 200.202.204.17
4 200.54.87.149
4 211.101.61.231
4 212.152.135.111
4 213.186.218.140
4 217.172.179.50
4 219.135.215.36
4 220.232.222.3
4 222.122.206.203
4 61.12.4.203
4 69.251.77.80
4 74.93.24.217
4 75.126.236.98
4 76.100.116.157
4 76.118.37.6
4 94.23.195.154
4 98.239.82.6
5 119.38.217.246
5 125.46.34.27
5 173.203.109.20
5 178.33.26.119
5 184.107.136.146
5 196.216.70.189
5 202.129.58.68
5 202.186.124.148
5 208.110.220.13
5 209.106.168.1
5 212.152.135.11
5 212.24.169.22
5 213.125.24.236
5 217.73.161.146
5 218.103.101.51
5 219.135.215.35
5 222.169.11.102
5 58.61.156.183
5 60.171.37.134
5 61.190.28.166
5 63.81.177.17
5 67.170.180.141
5 68.48.142.42
5 75.65.27.58
5 76.119.29.180
5 76.186.77.242
5 80.50.137.118
5 88.169.11.58
6 123.139.155.86
6 173.192.60.3
6 174.37.138.181
6 182.48.16.12
6 187.111.192.4
6 187.111.192.5
6 213.134.41.243
6 218.94.65.96
6 219.139.132.59
6 58.246.200.114
6 60.2.102.146
6 78.41.178.96
6 80.14.199.217
6 91.120.21.169
7 174.49.95.109
7 193.198.184.5
7 200.106.160.7
7 202.101.124.18
7 202.28.66.115
7 202.6.96.31
7 77.242.81.220
8 184.107.136.14
8 210.172.151.14
8 72.159.131.3
8 91.213.59.121
8 94.23.192.151
9 119.38.129.43
9 193.254.43.4
9 208.131.143.12
9 211.95.79.134
9 221.174.16.60
9 58.49.110.232
9 70.168.6.56
10 118.69.71.191
10 221.10.44.131
10 221.213.50.115
10 58.22.122.100
10 58.22.151.6
10 85.201.63.72
10 89.106.13.93
10 91.121.85.140
11 109.123.111.99
11 122.166.119.175
11 186.200.12.15
11 221.7.145.42
11 68.62.95.62
12 91.121.218.169
13 122.166.119.17
13 202.108.5.35
13 219.93.30.34
13 60.175.203.243
13 61.178.141.214
14 122.205.95.27
14 202.147.198.69
15 218.56.50.213
15 61.164.40.37
16 109.123.70.47
16 187.5.166.212
16 220.48.76.219
16 61.233.25.166
17 41.222.65.173
17 64.71.153.58
18 124.164.247.43
18 183.91.74.68
18 211.222.202.60
18 58.220.237.75
18 61.183.225.94
19 113.160.23.58
19 190.172.141.123
19 208.64.176.157
19 41.190.16.17
19 69.10.130.204
21 218.203.176.12
27 61.19.252.148
28 141.76.45.34
28 209.240.143.26
28 218.203.176.126
29 222.248.193.53
29 83.13.220.202
31 222.77.14.54
37 118.182.246.56
56 118.182.20.242
67 125.75.204.22
Thật không biết xác định IP tấn công và block ra sao với số kết nối IP như vậy:
Mình đã cài mod_security,mod_evasive, ConfigServer Security & Firewall (CSF) cho bảo vệ mà không chặn được, hiện mình đang đặt pass bằng htaccess để vô tạm. Các bác giúp mình nhé.
Thanks

hamteryeu

12-04-2011, 00:37

Thử dùng cái firewall khóa IP nếu IP đó truy cập quá 3 lần/s xem được không

x.broker

12-04-2011, 22:48

Bạn xài tạm cái DnP Firewall đi nhé.

haiduongbk

12-04-2011, 23:15

Bạn xài tạm cái DnP Firewall đi nhé.
Cảm ơn bạn, Mình đã thử, DnP là cho VBB 3.8.x, forum mình sài VBB 4.1.3, cài ra có lỗi vào forum!

Thử dùng cái firewall khóa IP nếu IP đó truy cập quá 3 lần/s xem được không
Mình dùng CSF auto block với 5 kết nối thôi, nó block được 207 IP, toàn IP nước ngoài.

61.183.225.94 # lfd: (CT) IP 61.183.225.94 (CN/China/-) found to have 21 connections - Mon Apr 11 03:38:23 2011
222.77.14.54 # lfd: (CT) IP 222.77.14.54 (CN/China/-) found to have 36 connections - Mon Apr 11 03:38:31 2011
80.14.199.217 # lfd: (CT) IP 80.14.199.217 (FR/France/LLagny-156-34-21-217.w80-14.abo.wanadoo.fr) found to have 13 connections - Mon Apr 11 03:38:32 2011
213.186.218.140 # lfd: (CT) IP 213.186.218.140 (UA/Ukraine/edipresse-11.dg.net.ua) found to have 7 connections - Mon Apr 11 03:38:33 2011
194.151.57.244 # lfd: (CT) IP 194.151.57.244 (NL/Netherlands/static.kpn.net) found to have 7 connections - Mon Apr 11 03:38:36 2011
91.213.59.121 # lfd: (CT) IP 91.213.59.121 (UA/Ukraine/ns4.onlineservice.com.ua) found to have 21 connections - Mon Apr 11 03:38:37 2011
61.190.28.166 # lfd: (CT) IP 61.190.28.166 (CN/China/-) found to have 8 connections - Mon Apr 11 03:38:38 2011
118.182.20.242 # lfd: (CT) IP 118.182.20.242 (CN/China/-) found to have 60 connections - Mon Apr 11 03:38:38 2011
78.41.178.96 # lfd: (CT) IP 78.41.178.96 (RU/Russian Federation/-) found to have 10 connections - Mon Apr 11 03:38:39 2011
58.246.200.114 # lfd: (CT) IP 58.246.200.114 (CN/China/-) found to have 7 connections - Mon Apr 11 03:38:41 2011
213.0.89.52 # lfd: (CT) IP 213.0.89.52 (ES/Spain/213-0-89-052.rad.tsai.es) found to have 11 connections - Mon Apr 11 03:38:44 2011
202.28.66.115 # lfd: (CT) IP 202.28.66.115 (TH/Thailand/-) found to have 24 connections - Mon Apr 11 03:38:46 2011
199.85.238.155 # lfd: (CT) IP 199.85.238.155 (GD/Grenada/-) found to have 9 connections - Mon Apr 11 03:38:50 2011
66.195.148.37 # lfd: (CT) IP 66.195.148.37 (US/United States/66-195-148-37.static.twtelecom.net) found to have 11 connections - Mon Apr 11 03:38:51 2011
208.64.176.157 # lfd: (CT) IP 208.64.176.157 (US/United States/-) found to have 16 connections - Mon Apr 11 03:38:53 2011
218.56.50.213 # lfd: (CT) IP 218.56.50.213 (CN/China/-) found to have 11 connections - Mon Apr 11 03:38:57 2011
75.126.236.98 # lfd: (CT) IP 75.126.236.98 (US/United States/75.126.236.98-static.reverse.softlayer.com) found to have 8 connections - Mon Apr 11 03:38:58 2011
217.172.179.50 # lfd: (CT) IP 217.172.179.50 (DE/Germany/chicago269.server4you.de) found to have 10 connections - Mon Apr 11 03:38:59 2011
79.172.26.78 # lfd: (CT) IP 79.172.26.78 (RU/Russian Federation/skatural.convex.ru) found to have 6 connections - Mon Apr 11 03:39:00 2011
202.171.253.70 # lfd: (CT) IP 202.171.253.70 (MO/Macau/-) found to have 7 connections - Mon Apr 11 03:39:01 2011
123.139.155.86 # lfd: (CT) IP 123.139.155.86 (CN/China/-) found to have 8 connections - Mon Apr 11 03:39:02 2011
222.248.193.53 # lfd: (CT) IP 222.248.193.53 (TH/Argentina/-) found to have 17 connections - Mon Apr 11 03:39:04 2011
83.13.220.202 # lfd: (CT) IP 83.13.220.202 (PL/Poland/fim202.internetdsl.tpnet.pl) found to have 47 connections - Mon Apr 11 03:39:05 2011
91.121.218.169 # lfd: (CT) IP 91.121.218.169 (FR/Belgium/91-121-218-169.ovh.net) found to have 19 connections - Mon Apr 11 03:39:06 2011
72.159.131.3 # lfd: (CT) IP 72.159.131.3 (US/United States/c.oconee.k12.sc.us) found to have 11 connections - Mon Apr 11 03:39:06 2011
201.245.181.158 # lfd: (CT) IP 201.245.181.158 (CO/Colombia/corporativos_245181-158.etb.net.co) found to have 8 connections - Mon Apr 11 03:39:07 2011
95.78.201.196 # lfd: (CT) IP 95.78.201.196 (RU/Russian Federation/dynamicip-95-78-201-196.pppoe.nsk.ertelecom.ru) found to have 6 connections - Mon Apr 11 03:39:28 2011
61.164.40.37 # lfd: (CT) IP 61.164.40.37 (CN/China/-) found to have 7 connections - Mon Apr 11 03:39:30 2011
221.214.7.130 # lfd: (CT) IP 221.214.7.130 (CN/China/-) found to have 6 connections - Mon Apr 11 03:39:31 2011
24.139.43.249 # lfd: (CT) IP 24.139.43.249 (US/United States/24-139-43-249-cablemodem-lwtn.fidnet.com) found to have 7 connections - Mon Apr 11 03:39:52 2011
202.147.198.69 # lfd: (CT) IP 202.147.198.69 (NZ/Italy/-) found to have 8 connections - Mon Apr 11 03:40:00 2011
187.5.166.212 # lfd: (CT) IP 187.5.166.212 (-/Brazil/187-5-166-212.bnut3703.e.brasiltelecom.net.br) found to have 13 connections - Mon Apr 11 03:40:01 2011
208.110.220.133 # lfd: (CT) IP 208.110.220.133 (US/United States/mta02.nationspetroleum.com) found to have 16 connections - Mon Apr 11 03:40:02 2011
200.106.160.7 # lfd: (CT) IP 200.106.160.7 (US/Colombia/-) found to have 18 connections - Mon Apr 11 03:40:03 2011
94.23.195.154 # lfd: (CT) IP 94.23.195.154 (FR/France/ns302369.ovh.net) found to have 8 connections - Mon Apr 11 03:40:03 2011
89.106.13.93 # lfd: (CT) IP 89.106.13.93 (SK/Turkey/reverse-89-106-13-93.turkticaret.net) found to have 9 connections - Mon Apr 11 03:40:06 2011
183.91.74.68 # lfd: (CT) IP 183.91.74.68 (JP/Indonesia/-) found to have 29 connections - Mon Apr 11 03:40:10 2011
218.103.101.51 # lfd: (CT) IP 218.103.101.51 (MX/Hong Kong/218-103-101-051.static.netvigator.com) found to have 6 connections - Mon Apr 11 03:40:12 2011
98.239.82.6 # lfd: (CT) IP 98.239.82.6 (US/United States/c-98-239-82-6.hsd1.ca.comcast.net) found to have 7 connections - Mon Apr 11 03:40:12 2011
184.107.136.146 # lfd: (CT) IP 184.107.136.146 (CA/Canada/-) found to have 17 connections - Mon Apr 11 03:40:12 2011
66.183.102.2 # lfd: (CT) IP 66.183.102.2 (CA/Canada/-) found to have 7 connections - Mon Apr 11 03:40:13 2011
196.216.70.189 # lfd: (CT) IP 196.216.70.189 (KE/Kenya/-) found to have 6 connections - Mon Apr 11 03:40:14 2011
212.24.169.22 # lfd: (CT) IP 212.24.169.22 (HU/Hungary/tempsmtp.fgsz.hu) found to have 9 connections - Mon Apr 11 03:40:14 2011
80.250.44.22 # lfd: (CT) IP 80.250.44.22 (NG/Nigeria/-) found to have 7 connections - Mon Apr 11 03:40:15 2011
178.33.26.119 # lfd: (CT) IP 178.33.26.119 (IT/Italy/-) found to have 11 connections - Mon Apr 11 03:40:15 2011
91.121.85.140 # lfd: (CT) IP 91.121.85.140 (FR/France/ks27458.kimsufi.com) found to have 9 connections - Mon Apr 11 03:40:15 2011
202.129.58.68 # lfd: (CT) IP 202.129.58.68 (TH/Thailand/-) found to have 8 connections - Mon Apr 11 03:40:17 2011
94.23.192.151 # lfd: (CT) IP 94.23.192.151 (FR/-/rps8293.ovh.net) found to have 13 connections - Mon Apr 11 03:40:17 2011
61.164.40.151 # lfd: (CT) IP 61.164.40.151 (CN/China/-) found to have 7 connections - Mon Apr 11 03:40:18 2011
85.201.63.72 # lfd: (CT) IP 85.201.63.72 (BE/Belgium/host-85-201-63-72.brutele.be) found to have 8 connections - Mon Apr 11 03:40:18 2011
174.37.138.181 # lfd: (CT) IP 174.37.138.181 (US/United States/174.37.138.181-static.reverse.softlayer.com) found to have 9 connections - Mon Apr 11 03:40:19 2011
77.242.81.220 # lfd: (CT) IP 77.242.81.220 (CA/Czech Republic/ndb220.customer.medialine.cz) found to have 7 connections - Mon Apr 11 03:40:20 2011
124.164.247.43 # lfd: (CT) IP 124.164.247.43 (CN/China/43.247.164.124.adsl-pool.sx.cn) found to have 10 connections - Mon Apr 11 03:40:22 2011
61.233.25.166 # lfd: (CT) IP 61.233.25.166 (CN/China/-) found to have 14 connections - Mon Apr 11 03:40:23 2011
91.120.21.169 # lfd: (CT) IP 91.120.21.169 (HU/Hungary/elitemail.hu) found to have 8 connections - Mon Apr 11 03:40:23 2011
74.93.24.217 # lfd: (CT) IP 74.93.24.217 (US/United States/74-93-24-217-Minnesota.hfc.comcastbusiness.net) found to have 12 connections - Mon Apr 11 03:40:24 2011
193.198.184.5 # lfd: (CT) IP 193.198.184.5 (HR/Croatia/-) found to have 7 connections - Mon Apr 11 03:40:24 2011
221.174.16.60 # lfd: (CT) IP 221.174.16.60 (CN/China/-) found to have 11 connections - Mon Apr 11 03:40:25 2011
125.46.34.27 # lfd: (CT) IP 125.46.34.27 (CN/China/hn.kd.ny.adsl) found to have 7 connections - Mon Apr 11 03:40:25 2011
91.143.58.1 # lfd: (CT) IP 91.143.58.1 (RU/Russian Federation/-) found to have 7 connections - Mon Apr 11 03:40:25 2011
109.123.111.99 # lfd: (CT) IP 109.123.111.99 (GB/United Kingdom/-) found to have 11 connections - Mon Apr 11 03:40:26 2011
87.244.213.3 # lfd: (CT) IP 87.244.213.3 (SK/Slovakia/mail.conet-isp.sk) found to have 7 connections - Mon Apr 11 03:40:27 2011
222.221.8.219 # lfd: (CT) IP 222.221.8.219 (CN/China/-) found to have 7 connections - Mon Apr 11 03:40:28 2011
219.139.132.59 # lfd: (CT) IP 219.139.132.59 (IN/China/-) found to have 6 connections - Mon Apr 11 03:40:29 2011
74.63.197.117 # lfd: (CT) IP 74.63.197.117 (US/United States/terra.hostrail.com) found to have 6 connections - Mon Apr 11 03:40:47 2011
89.253.113.228 # lfd: (CT) IP 89.253.113.228 (SE/Sweden/89-253-113-228.customers.ownit.se) found to have 7 connections - Mon Apr 11 03:40:50 2011
59.49.19.39 # lfd: (CT) IP 59.49.19.39 (CN/China/-) found to have 10 connections - Mon Apr 11 03:40:52 2011
173.203.243.138 # lfd: (CT) IP 173.203.243.138 (US/United States/173-203-243-138.static.cloud-ips.com) found to have 7 connections - Mon Apr 11 03:40:52 2011
208.131.143.12 # lfd: (CT) IP 208.131.143.12 (US/United States/blue-springs-real-estate.com) found to have 6 connections - Mon Apr 11 03:40:53 2011
76.119.29.180 # lfd: (CT) IP 76.119.29.180 (US/United States/c-76-119-29-180.hsd1.ma.comcast.net) found to have 10 connections - Mon Apr 11 03:40:54 2011
218.203.176.126 # lfd: (CT) IP 218.203.176.126 (CN/China/-) found to have 68 connections - Mon Apr 11 03:41:20 2011
60.175.203.243 # lfd: (CT) IP 60.175.203.243 (CN/China/-) found to have 22 connections - Mon Apr 11 03:41:20 2011
202.108.5.35 # lfd: (CT) IP 202.108.5.35 (CN/China/-) found to have 19 connections - Mon Apr 11 03:41:21 2011
160.79.35.17 # lfd: (CT) IP 160.79.35.17 (US/United States/-) found to have 6 connections - Mon Apr 11 03:41:22 2011
78.129.201.71 # lfd: (CT) IP 78.129.201.71 (GB/United Kingdom/crawl3.majestic12.co.uk) found to have 6 connections - Mon Apr 11 03:41:22 2011
76.100.116.157 # lfd: (CT) IP 76.100.116.157 (US/United States/c-76-100-116-157.hsd1.md.comcast.net) found to have 6 connections - Mon Apr 11 03:41:23 2011
187.111.192.5 # lfd: (CT) IP 187.111.192.5 (BR/Brazil/187111192005.powertelecom.net.br) found to have 11 connections - Mon Apr 11 03:41:24 2011
61.12.4.203 # lfd: (CT) IP 61.12.4.203 (IN/India/chn-static-203-4-12-61.direct.net.in) found to have 6 connections - Mon Apr 11 03:41:25 2011
222.122.206.203 # lfd: (CT) IP 222.122.206.203 (KR/Korea, Republic of/-) found to have 9 connections - Mon Apr 11 03:41:25 2011
119.38.217.244 # lfd: (CT) IP 119.38.217.244 (CN/China/-) found to have 6 connections - Mon Apr 11 03:41:25 2011
200.202.204.17 # lfd: (CT) IP 200.202.204.17 (BR/Brazil/-) found to have 6 connections - Mon Apr 11 03:41:26 2011
96.19.176.228 # lfd: (CT) IP 96.19.176.228 (US/United States/-) found to have 6 connections - Mon Apr 11 03:41:27 2011
184.106.213.192 # lfd: (CT) IP 184.106.213.192 (US/United States/184-106-213-192.static.cloud-ips.com) found to have 6 connections - Mon Apr 11 03:41:27 2011
123.125.156.82 # lfd: (CT) IP 123.125.156.82 (CN/China/-) found to have 8 connections - Mon Apr 11 03:41:28 2011
69.10.130.204 # lfd: (CT) IP 69.10.130.204 (CA/Canada/mta1.SHOPEASYSTREET2.NET) found to have 8 connections - Mon Apr 11 03:41:28 2011
217.73.161.146 # lfd: (CT) IP 217.73.161.146 (RO/Romania/-) found to have 9 connections - Mon Apr 11 03:41:28 2011
182.48.16.12 # lfd: (CT) IP 182.48.16.12 (JP/Japan/-) found to have 6 connections - Mon Apr 11 03:41:29 2011
41.134.13.66 # lfd: (CT) IP 41.134.13.66 (US/South Africa/41-134-13-66.dsl.mweb.co.za) found to have 13 connections - Mon Apr 11 03:41:31 2011
58.61.156.183 # lfd: (CT) IP 58.61.156.183 (CN/China/-) found to have 6 connections - Mon Apr 11 03:41:32 2011
221.7.145.42 # lfd: (CT) IP 221.7.145.42 (CN/China/-) found to have 10 connections - Mon Apr 11 03:41:33 2011
212.152.135.111 # lfd: (CT) IP 212.152.135.111 (-/Australia/center.at.bahai.org) found to have 13 connections - Mon Apr 11 03:41:35 2011
219.93.30.34 # lfd: (CT) IP 219.93.30.34 (-/Malaysia/-) found to have 14 connections - Mon Apr 11 03:41:39 2011
60.2.102.146 # lfd: (CT) IP 60.2.102.146 (CN/-/-) found to have 11 connections - Mon Apr 11 03:41:40 2011
209.106.168.1 # lfd: (CT) IP 209.106.168.1 (US/United States/-) found to have 9 connections - Mon Apr 11 03:41:40 2011
118.182.246.56 # lfd: (CT) IP 118.182.246.56 (CN/China/-) found to have 33 connections - Mon Apr 11 03:41:41 2011
202.171.253.71 # lfd: (CT) IP 202.171.253.71 (MO/Macau/-) found to have 6 connections - Mon Apr 11 03:41:43 2011
125.75.204.22 # lfd: (CT) IP 125.75.204.22 (-/China/22.204.125.75.gs.dynamic.163data.com.cn) found to have 53 connections - Mon Apr 11 03:41:44 2011
202.101.124.18 # lfd: (CT) IP 202.101.124.18 (CN/China/-) found to have 10 connections - Mon Apr 11 03:41:44 2011
93.166.121.106 # lfd: (CT) IP 93.166.121.106 (DK/Denmark/-) found to have 7 connections - Mon Apr 11 03:41:45 2011
119.38.129.43 # lfd: (CT) IP 119.38.129.43 (-/China/mail1.likeface.com) found to have 16 connections - Mon Apr 11 03:41:45 2011
218.94.65.96 # lfd: (CT) IP 218.94.65.96 (OM/China/-) found to have 9 connections - Mon Apr 11 03:41:46 2011
88.169.11.58 # lfd: (CT) IP 88.169.11.58 (FR/France/yut57-1-88-169-11-58.fbx.proxad.net) found to have 6 connections - Mon Apr 11 03:41:46 2011
70.168.6.56 # lfd: (CT) IP 70.168.6.56 (US/United States/wsip-70-168-6-56.ri.ri.cox.net) found to have 13 connections - Mon Apr 11 03:41:47 2011
75.65.27.58 # lfd: (CT) IP 75.65.27.58 (US/United States/c-75-65-27-58.hsd1.la.comcast.net) found to have 6 connections - Mon Apr 11 03:41:48 2011
189.80.247.178 # lfd: (CT) IP 189.80.247.178 (BR/Brazil/18980247178.user.veloxzone.com.br) found to have 15 connections - Mon Apr 11 03:41:48 2011
69.251.77.80 # lfd: (CT) IP 69.251.77.80 (US/United States/c-69-251-77-80.hsd1.md.comcast.net) found to have 6 connections - Mon Apr 11 03:41:49 2011
124.193.109.9 # lfd: (CT) IP 124.193.109.9 (CN/China/-) found to have 6 connections - Mon Apr 11 03:41:49 2011
186.200.12.15 # lfd: (CT) IP 186.200.12.15 (BR/Brazil/186-200-12-15.customer.tdatabrasil.net.br) found to have 17 connections - Mon Apr 11 03:41:49 2011
68.48.142.42 # lfd: (CT) IP 68.48.142.42 (US/United States/c-68-48-142-42.hsd1.md.comcast.net) found to have 6 connections - Mon Apr 11 03:41:50 2011
211.95.79.134 # lfd: (CT) IP 211.95.79.134 (CN/China/-) found to have 15 connections - Mon Apr 11 03:41:50 2011
63.81.177.17 # lfd: (CT) IP 63.81.177.17 (US/United States/host17.sirf.com) found to have 15 connections - Mon Apr 11 03:41:51 2011
58.211.237.132 # lfd: (CT) IP 58.211.237.132 (US/China/-) found to have 6 connections - Mon Apr 11 03:41:51 2011
221.213.50.115 # lfd: (CT) IP 221.213.50.115 (US/China/-) found to have 15 connections - Mon Apr 11 03:41:52 2011
93.167.194.251 # lfd: (CT) IP 93.167.194.251 (DK/Denmark/-) found to have 6 connections - Mon Apr 11 03:41:52 2011
85.25.132.122 # lfd: (CT) IP 85.25.132.122 (DE/Germany/bravo662.server4you.de) found to have 13 connections - Mon Apr 11 03:41:52 2011
213.125.24.236 # lfd: (CT) IP 213.125.24.236 (US/Netherlands/D57D18EC.static.ziggozakelijk.nl) found to have 9 connections - Mon Apr 11 03:41:53 2011
164.78.248.57 # lfd: (CT) IP 164.78.248.57 (SG/Singapore/x81prx00.sp.edu.sg) found to have 10 connections - Mon Apr 11 03:41:53 2011
219.135.215.36 # lfd: (CT) IP 219.135.215.36 (CN/China/-) found to have 6 connections - Mon Apr 11 03:41:53 2011
193.254.43.4 # lfd: (CT) IP 193.254.43.4 (-/-/naco-193-254-43-4.comtelnetworks.eu) found to have 22 connections - Mon Apr 11 03:41:54 2011
119.38.217.243 # lfd: (CT) IP 119.38.217.243 (CN/China/-) found to have 6 connections - Mon Apr 11 03:41:54 2011
61.19.252.148 # lfd: (CT) IP 61.19.252.148 (JP/Thailand/-) found to have 43 connections - Mon Apr 11 03:41:54 2011
222.169.11.102 # lfd: (CT) IP 222.169.11.102 (HK/-/-) found to have 10 connections - Mon Apr 11 03:41:55 2011
187.111.192.4 # lfd: (CT) IP 187.111.192.4 (-/Brazil/proxy.powertelecom.net.br) found to have 12 connections - Mon Apr 11 03:41:56 2011
109.123.70.47 # lfd: (CT) IP 109.123.70.47 (-/Japan/-) found to have 12 connections - Mon Apr 11 03:41:57 2011
67.170.180.141 # lfd: (CT) IP 67.170.180.141 (US/United States/c-67-170-180-141.hsd1.or.comcast.net) found to have 8 connections - Mon Apr 11 03:41:58 2011
119.38.217.245 # lfd: (CT) IP 119.38.217.245 (CN/China/-) found to have 6 connections - Mon Apr 11 03:41:58 2011
211.222.202.60 # lfd: (CT) IP 211.222.202.60 (KR/Korea, Republic of/-) found to have 11 connections - Mon Apr 11 03:41:58 2011
58.220.237.75 # lfd: (CT) IP 58.220.237.75 (CN/China/-) found to have 8 connections - Mon Apr 11 03:41:58 2011
122.166.119.175 # lfd: (CT) IP 122.166.119.175 (CN/India/ABTS-KK-static-175.119.166.122.airtelbroadband.in) found to have 15 connections - Mon Apr 11 03:42:02 2011
209.240.143.26 # lfd: (CT) IP 209.240.143.26 (-/United States/singleclick.net) found to have 32 connections - Mon Apr 11 03:42:02 2011
68.150.39.237 # lfd: (CT) IP 68.150.39.237 (CA/Canada/S010600e0183690f0.ed.shawcable.net) found to have 12 connections - Mon Apr 11 03:42:03 2011
213.134.41.243 # lfd: (CT) IP 213.134.41.243 (ES/Spain/spazentral1-3.c.mad.interhost.com) found to have 6 connections - Mon Apr 11 03:42:04 2011
210.172.151.14 # lfd: (CT) IP 210.172.151.14 (-/Japan/-) found to have 26 connections - Mon Apr 11 03:42:07 2011
141.76.45.34 # lfd: (CT) IP 141.76.45.34 (DE/Germany/proxy1.anon-online.org) found to have 24 connections - Mon Apr 11 03:42:08 2011
220.232.222.3 # lfd: (CT) IP 220.232.222.3 (HK/Hong Kong/-) found to have 8 connections - Mon Apr 11 03:42:08 2011
67.249.168.198 # lfd: (CT) IP 67.249.168.198 (-/United States/cpe-67-249-168-198.twcny.res.rr.com) found to have 9 connections - Mon Apr 11 03:42:09 2011
58.22.151.6 # lfd: (CT) IP 58.22.151.6 (CN/China/-) found to have 8 connections - Mon Apr 11 03:42:09 2011
173.192.60.3 # lfd: (CT) IP 173.192.60.3 (US/United States/173.192.60.3-static.reverse.softlayer.com) found to have 13 connections - Mon Apr 11 03:42:09 2011
210.51.38.124 # lfd: (CT) IP 210.51.38.124 (CN/China/-) found to have 6 connections - Mon Apr 11 03:42:10 2011
41.190.16.17 # lfd: (CT) IP 41.190.16.17 (NG/Nigeria/-) found to have 21 connections - Mon Apr 11 03:42:11 2011
64.71.153.58 # lfd: (CT) IP 64.71.153.58 (CN/-/-) found to have 16 connections - Mon Apr 11 03:42:11 2011
209.221.131.75 # lfd: (CT) IP 209.221.131.75 (IN/Canada/-) found to have 8 connections - Mon Apr 11 03:42:12 2011
84.72.71.92 # lfd: (CT) IP 84.72.71.92 (CH/Switzerland/84-72-71-92.dclient.hispeed.ch) found to have 7 connections - Mon Apr 11 03:42:12 2011
202.186.124.148 # lfd: (CT) IP 202.186.124.148 (-/Brazil/-) found to have 7 connections - Mon Apr 11 03:42:13 2011
119.38.217.246 # lfd: (CT) IP 119.38.217.246 (CN/China/-) found to have 6 connections - Mon Apr 11 03:42:13 2011
58.22.122.100 # lfd: (CT) IP 58.22.122.100 (CN/China/-) found to have 7 connections - Mon Apr 11 03:42:14 2011
122.205.95.27 # lfd: (CT) IP 122.205.95.27 (CN/China/-) found to have 6 connections - Mon Apr 11 03:42:14 2011
41.222.65.173 # lfd: (CT) IP 41.222.65.173 (NG/Nigeria/-) found to have 16 connections - Mon Apr 11 03:42:14 2011
60.171.37.134 # lfd: (CT) IP 60.171.37.134 (CN/Iran, Islamic Republic of/-) found to have 13 connections - Mon Apr 11 03:42:15 2011
173.203.109.204 # lfd: (CT) IP 173.203.109.204 (US/United States/173-203-109-204.static.cloud-ips.com) found to have 10 connections - Mon Apr 11 03:42:15 2011
80.50.137.118 # lfd: (CT) IP 80.50.137.118 (PL/Poland/do-scanmed.tpnet.pl) found to have 7 connections - Mon Apr 11 03:42:16 2011
118.97.32.12 # lfd: (CT) IP 118.97.32.12 (ID/Indonesia/12.subnet118-97-32.static.astinet.telkom.net.id) found to have 6 connections - Mon Apr 11 03:42:16 2011
213.186.218.130 # lfd: (CT) IP 213.186.218.130 (UA/Ukraine/shade.edipresse.com.ua) found to have 8 connections - Mon Apr 11 03:42:17 2011
202.149.24.193 # lfd: (CT) IP 202.149.24.193 (TH/Thailand/-) found to have 7 connections - Mon Apr 11 03:42:17 2011
221.10.44.131 # lfd: (CT) IP 221.10.44.131 (-/China/-) found to have 6 connections - Mon Apr 11 03:42:18 2011
203.162.3.161 # lfd: (CT) IP 203.162.3.161 (VN/Vietnam/-) found to have 19 connections - Mon Apr 11 03:42:19 2011
71.71.235.136 # lfd: (CT) IP 71.71.235.136 (US/United States/cpe-071-071-235-136.carolina.res.rr.com) found to have 8 connections - Mon Apr 11 03:42:19 2011
58.49.110.232 # lfd: (CT) IP 58.49.110.232 (CN/China/-) found to have 6 connections - Mon Apr 11 03:42:21 2011
96.56.193.22 # lfd: (CT) IP 96.56.193.22 (US/United States/ool-6038c116.static.optonline.net) found to have 38 connections - Mon Apr 11 03:42:22 2011
119.38.217.241 # lfd: (CT) IP 119.38.217.241 (CN/China/-) found to have 6 connections - Mon Apr 11 03:42:23 2011
65.55.25.152 # lfd: (CT) IP 65.55.25.152 (US/United States/-) found to have 19 connections - Mon Apr 11 03:42:24 2011
71.60.214.250 # lfd: (CT) IP 71.60.214.250 (US/United States/c-71-60-214-250.hsd1.pa.comcast.net) found to have 11 connections - Mon Apr 11 03:42:24 2011
92.241.162.241 # lfd: (CT) IP 92.241.162.241 (MH/Marshall Islands/-) found to have 7 connections - Mon Apr 11 03:42:24 2011
211.144.69.66 # lfd: (CT) IP 211.144.69.66 (CN/China/reserve.cableplus.com.cn) found to have 6 connections - Mon Apr 11 03:42:25 2011
79.175.41.110 # lfd: (CT) IP 79.175.41.110 (RU/Russian Federation/110.41.175.79.krasnodar.ptl.ru) found to have 6 connections - Mon Apr 11 03:42:28 2011
93.125.74.172 # lfd: (CT) IP 93.125.74.172 (BY/Belarus/-) found to have 11 connections - Mon Apr 11 03:42:28 2011
24.56.121.196 # lfd: (CT) IP 24.56.121.196 (US/United States/h196.121.56.24.cable.rstb.jetbroadband.com) found to have 6 connections - Mon Apr 11 03:42:29 2011
78.188.37.122 # lfd: (CT) IP 78.188.37.122 (TR/Turkey/dsl78.188-9594.ttnet.net.tr) found to have 9 connections - Mon Apr 11 03:42:29 2011
200.111.101.246 # lfd: (CT) IP 200.111.101.246 (CL/Chile/-) found to have 6 connections - Mon Apr 11 03:42:30 2011
68.51.153.146 # lfd: (CT) IP 68.51.153.146 (US/United States/c-68-51-153-146.hsd1.ga.comcast.net) found to have 6 connections - Mon Apr 11 03:42:31 2011
195.158.22.6 # lfd: (CT) IP 195.158.22.6 (UZ/Uzbekistan/-) found to have 7 connections - Mon Apr 11 03:42:33 2011
211.101.61.231 # lfd: (CT) IP 211.101.61.231 (CN/China/-) found to have 6 connections - Mon Apr 11 03:42:33 2011
78.186.126.244 # lfd: (CT) IP 78.186.126.244 (TR/Turkey/dsl78.186-32500.ttnet.net.tr) found to have 6 connections - Mon Apr 11 03:42:55 2011
74.50.152.22 # lfd: (CT) IP 74.50.152.22 (US/United States/074-050-152-022.plateautel.net) found to have 9 connections - Mon Apr 11 03:42:55 2011
211.139.10.183 # lfd: (CT) IP 211.139.10.183 (CN/China/-) found to have 6 connections - Mon Apr 11 03:43:19 2011
119.38.217.242 # lfd: (CT) IP 119.38.217.242 (CN/China/-) found to have 12 connections - Mon Apr 11 03:43:22 2011
24.161.69.94 # lfd: (CT) IP 24.161.69.94 (US/United States/cpe-24-161-69-94.hvc.res.rr.com) found to have 7 connections - Mon Apr 11 03:43:33 2011
189.14.95.8 # lfd: (CT) IP 189.14.95.8 (BR/Brazil/189-14-95-8.vmaxnet.com.br) found to have 6 connections - Mon Apr 11 03:43:52 2011
75.32.99.16 # lfd: (CT) IP 75.32.99.16 (US/United States/75-32-99-16.lightspeed.ftwotx.sbcglobal.net) found to have 6 connections - Mon Apr 11 03:44:21 2011

Nó đã giảm tải được cho website vô, nhưng sau đó khoảng 2-3h, hệ thống IP tấn công lúc này lại khác, một loạt IP mới diễn ra, Nó Get file forum.php, Mình tiến hành rename file forum.php thành fo@rum và htaccess chuyển hướng vô mặc định file fo@rum thành file chỉ định index đầu tiên. và giấu tạm file đó, tuy nhiên nó bát đầu get file content.php. Và mình tiến hành rename file này tiếp, tưởng chừng như chấm dứt, hôm nay nó đã lại đổ bộ trở lại với phương thức mới, vẫn get 2 file forum.php và content.php. nhưng cường độ mạnh hơn và do vậy site vẫn bị nặng nề.
Hiện mình đang nghiên cứu tới việc sử dụng mod_sercurity với rules chặn tấn công GET /forum.php HTTP 1.1 cũng như GET bất cứ 1 file PHP nào khác.
Mong anh em giúp và hỗ trợ viết 1 rules từ chối GET này giùm.

93.167.194.251 - - [11/Apr/2011:01:29:04 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
213.0.89.52 - - [11/Apr/2011:01:29:04 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
109.123.111.99 - - [11/Apr/2011:01:29:04 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
91.75.24.162 - - [11/Apr/2011:01:29:04 -0700] "GET /forum.php HTTP/1.0" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
218.56.50.213 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
58.22.151.6 - - [11/Apr/2011:01:29:05 -0700] "GET http://windowsz.net/forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
221.7.145.42 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.0" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
93.167.194.251 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
41.190.16.17 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
93.167.194.251 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
217.172.179.50 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
212.26.62.20 - - [11/Apr/2011:01:29:05 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
178.33.26.119 - - [11/Apr/2011:01:29:06 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
200.165.107.34 - - [11/Apr/2011:01:29:06 -0700] "GET /forum.php HTTP/1.1" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
115.78.227.155 - - [11/Apr/2011:01:29:06 -0700] "GET /forum.php HTTP/1.0" 401 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
cảm ơn mọi người

quattichdien.net

13-04-2011, 00:16

chia buồn với bác, em ít kinh nghiệm không giúp gì được nên vào hóng thôi

example

13-04-2011, 00:57

kiếm cái sever win nào dó, trỏ về, vs cài KIS vào đấy, ddos = niềm tin :D,

đang thử test coi mấy cái KIS này làm ăn ntn đây X_X

khonggiannet

13-04-2011, 02:39

Thử dùng cái này xem: https://www.cloudflare.com/
Cái này là một dịch vụ proxy có khả năng chặn DOS và giảm tải cho site.

Còn kinh nghiệm chống DOS cho VPS thì tôi không rành, cũng chỉ vào hóng như bác trên. :D

BMC-Online

13-04-2011, 10:41

Nếu bạn không có kinh nghiệm chặn TCP Header dưới tầng network (L3) bạn có thể chặn trên tầng L6,7 bằng các app có khả năng lọc HTTP Header.

Theo log file thì các zombie lợi dụng lỗ hổng của IE6SP1 ko vá lỗi, vì vậy để giải quyết vấn đề này bạn hãy Block các Request HTTP Method GET/POST có kèm theo USER AGENT có string : "CLR 1.0.3705"

Việc lọc HTTP HEADER vẫn đòi hỏi ứng dụng phải sử dụng nhiều CPU hơn chặn tại TCP HEADER , vì vậy hiệu quả chỉ đáp ứng với cường độ flush cỡ 5000 request/s, 20,000 packets/s tùy cấu hình VPS được cấp bao nhiêu CPU thế nào?

haiduongbk

13-04-2011, 16:52

Cảm ơn các bác đã hướng dẫn.
@BMC-Online: Bác nói rõ hơn được không? làm thế nào để thực hiện được việc chặn đó? Mong bác chỉ giúp!
VPS mình:
Intel(R) Xeon(R) CPU L5609 @ 1.87GHz, 8 cores
RAM 2 GB
- Hiện mình cũng đã cấu hình được một rules MOD_SERCURITY với nội dung:

# Turn on rule engine and set default action
SecRuleEngine On
SecAuditLog logs/audit.log

SecDataDir /tmp
SecTmpDir /tmp

SecAction "phase:1,t:none,pass,nolog,initcol:global=global,in itcol:ip=%{remote_addr}"
SecRule REQUEST_URI "^/$" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.dd os=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/forum\.php$" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.dd os=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/content\.php$" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.dd os=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/blog\.php$" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.dd os=5/60,expirevar:ip.ddos=600"
SecRule IP:DDOS "@gt 5" "phase:1,log,drop,msg:'DDoS'"
Với việc cấu cấu hình Rules này mình đã chặn được DDOS, forum vào load tốt, nhưng vấn đề là thấy RAM có phần tăng lên dần, với tình trạng này thì sẽ tràn RAM. Vấn đề chỉ là thời gian!!! vẫn chưa triệt để được nó. báo cáo thống kê khách vào forum thì cứ tăng dần, 2000 trở lên.

checksim

13-04-2011, 16:59

Mình vào hóng xem các bác xử lý thế nào để học tập!

BMC-Online

13-04-2011, 17:17

Cảm ơn các bác đã hướng dẫn.
@BMC-Online: Bác nói rõ hơn được không? làm thế nào để thực hiện được việc chặn đó? Mong bác chỉ giúp!
VPS mình:
Intel(R) Xeon(R) CPU L5609 @ 1.87GHz, 8 cores
RAM 2 GB
- Hiện mình cũng đã cấu hình được một rules MOD_SERCURITY với nội dung:

Với việc cấu cấu hình Rules này mình đã chặn được DDOS, forum vào load tốt, nhưng vấn đề là thấy RAM có phần tăng lên dần, với tình trạng này thì sẽ tràn RAM. Vấn đề chỉ là thời gian!!! vẫn chưa triệt để được nó. báo cáo thống kê khách vào forum thì cứ tăng dần, 2000 trở lên.

Để tránh php/apache phải xử lý nhiều dẫn đến tốn RAM/CPU, trong trường hợp này, với VPS của bạn có thể cài 1 reverse proxy phía trước apache như nginx hoặc tương tự để lọc các request mang USER AGENT như đã phân tích trên.

Nó đảm bảo cho apache chạy mod_php được hoạt động ổn định vì ko phải tiếp nhận và xử lý các request của zombie nữa. reverse proxy làm việc này nhanh hơn, ít tốn ram/cpu hơn.

ctit_vietnam

13-04-2011, 17:19

Chơi CPU họ L này thì: Intel(R) Xeon(R) CPU L5609 @ 1.87GHz, 8 cores
bét cũng phải X hoặc E chứ L là họ tiết kiệm điện chuyên sài cho bọn lưu trữ thôi.

cntt.org

13-04-2011, 17:45

Chà chà, cuộc chiến với DOS còn dài nhỉ, VN bị bọn tàu, nigeria phá dữ quá, các cao thủ làm gì đi chứ!

ly_vina

13-04-2011, 17:53

xời.
DDos nó dùng IP ảo.
hì hì bác lên google gõ flash dantruongx và cách phòng chống DDos hiệu quả lắm.
còn bác example,cách phòng chống của bác ngon đấy nhỉ.liệu chịu nổi đợt đầu tiên của dos ko chứ đừng nói đến ddos và DRDOS (cái này thì nguy hiểm gấp vạn).thực ra bác chưa hiểu bản chất của dos và ddos thì phải.
có gì mạo phạm xin lượng thứ nhé.

haiduongbk

14-04-2011, 17:26

Cảm ơn các bác đã cho ý kiến về cách khắc phục. Hiện nay forum em cũng gọi là tương đối khắc phục được dù chạy vẫn còn nặng nề do hệ thống apache xử lý hơi nhiều, RAM vấn hoạt động ở mức cao.
Mình sử dụng một rules Mod_sercurity với nội dung sau:

# Turn on rule engine and set default action
SecRuleEngine On
SecAuditLog logs/audit.log

SecDataDir /tmp
SecTmpDir /tmp

SecAction "phase:1,t:none,pass,nolog,initcol:global=global,in itcol:ip=%{remote_addr}"
SecRule REQUEST_URI "^/$|^/forum\.php$|^/content\.php$|/blog\.php$" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.dd os=2/60,expirevar:ip.ddos=1200"
SecRule IP:DDOS "@gt 2" "phase:1,log,drop,msg:'DDoS'"
Với code trên nó sẽ block tất cả các IP request vào địa chỉ "^/$|^/forum\.php$|^/content\.php$|/blog\.php$" với số lượng quá 2 lần trên 1 phút "@gt 2" + "deprecatevar:ip.ddos=2/60" và block trong 1200s : expirevar:ip.ddos=1200

@BMC-Online: bác nói có lý. biện pháp chặn USER AGENT với từ khóa có mặt CLR 1.0.3705 cũng là một biện pháp. em sẽ nghiên cứu xem.thanks bác

thaidesign

15-04-2011, 10:30

kiếm cái sever win nào dó, trỏ về, vs cài KIS vào đấy, ddos = niềm tin :D,

đang thử test coi mấy cái KIS này làm ăn ntn đây X_X

DDoS mạnh thì KAS nó tự treo :lick:

Đang nói về cái KAS Workstation :boxing:

hungkyo

16-04-2011, 01:29

em bảo, cho 1 file .html lên host.. nhận thấy ip nào dos thì chuyển nó sang đó tăng rank cho site 1 chút.
nhưng mà theo cá nhân em mà thấy, em vào duyệt web toàn mở 1 lúc chục tab, để đó đọc dần, thế nếu em vào site bác chắc bị chặn mất T.T .. hơn nữa dùng user agent có đc không, nếu em dùng user agent là Google vào site bác, liệu bác có muốn được Google index? xem ra cũng nan giải nhỉ. tạm thời trong lúc bị dos này, bác cho site tạm nghỉ mấy hôm đi.. đạo cao 1 thước ma cao vài chục trượng ấy chứ. :emlaugh:
hay nếu ko thì bác xem bán đống "traffic ngon cơm" đó bn bảo em 1 câu, em mua để dos người khác :-)) bác pm inbox cho em nhé. :w00t:

haiduongbk

19-04-2011, 13:54

em bảo, cho 1 file .html lên host.. nhận thấy ip nào dos thì chuyển nó sang đó tăng rank cho site 1 chút.
nhưng mà theo cá nhân em mà thấy, em vào duyệt web toàn mở 1 lúc chục tab, để đó đọc dần, thế nếu em vào site bác chắc bị chặn mất T.T .. hơn nữa dùng user agent có đc không, nếu em dùng user agent là Google vào site bác, liệu bác có muốn được Google index? xem ra cũng nan giải nhỉ. tạm thời trong lúc bị dos này, bác cho site tạm nghỉ mấy hôm đi.. đạo cao 1 thước ma cao vài chục trượng ấy chứ. :emlaugh:
hay nếu ko thì bác xem bán đống "traffic ngon cơm" đó bn bảo em 1 câu, em mua để dos người khác :-)) bác pm inbox cho em nhé. :w00t:
Cơ chế ở đây là chặn số kết nối liên tục nện vào 1 địa chỉ, không phải là nện vào toàn bộ trang web, vậy nên bạn có thể mở nhiều bài post cùng lúc chẳng hề hấn gì, user thực sự thì mở theo cách đó, còn DDOS,tấn công auto vào 1 địa chỉ nhất định nhiều lần, nó khác đó.
- User-agent thì không khả thi, giả dụ chặn thì sẽ chặn nhầm.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Nếu chặn vậy những người dùng IE6 sẽ không vào được, hoặc windows NT,...Nói chung DDOS cũng nan giải,
- Tình trạng site mình giờ tiếp tục bị tấn công tăng cường. để lâu chút cũng treo, vậy nên mình bê 1 firewall tạm đặt đó, cronjob 5 phút restart apache 1 lần, hic, đau đầu tụi đó, vấn tấn công vào cái file kia, bị SYN FLOOD nặng. haizz.
Các cao nhân ai có phương án khả thi không?