The DDoS!

Its being couple of days maxgrab.org is getting Continious DDoS! I got a mail from my hosting provider that they wont be able to support us any more b/c of there server being tear down because of the DDoS.. duhhhh we had to move and now we are on some hosting St0L3n provided me up

With first they promised to give us root but they didnt !! anyways “Mufta kaisa bhi ho lai laina chaiye”. 😉 they provided us with ssh access though so as soon as i restored it the attack started once again i was looking over access log and found out a particular pattern for the request

ip70-171-112-215.no.no.cox.net – – [15/Feb/2008:12:02:25 +0000] “GET /index.php HTTP/1.1” 200 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

erm!! it makes me wonder how can i stop it with limited power in my hand . Fired up google
took a look over .htaccess it allows you to ban the ip how about adding DDoSers ip on the fly..

So what i did was to add a file name filter.php above index.php

this is how it looks like

<?php

class Filter {

private $RequestString;
private $RequestType;
private $RequestUseragent;
private $ReqStrmatch = false;
private $ReqTypematch = false;
private $Requsermatch = false;
// Requested String matched the pattern
function FilterRequestString() {
$rcvReqstring = $_SERVER[‘REQUEST_URI’];
if ( ereg($this->RequestString,$rcvReqstring))
$this->ReqStrmatch = true;
}
// Requested Type matched the pattern
function FilterRequestType() {
$rcvReqstring = $_SERVER[‘REQUEST_METHOD’];
if ( ereg($this->RequestType,$rcvReqstring))
$this->ReqTypematch = true;
}
// Requested Useragent matched the pattern
function FilterRequestUseragent() {
$rcvReqstring = $_SERVER[‘HTTP_USER_AGENT’];
if ( ereg($this->RequestUseragent,$rcvReqstring))
$this->Requsermatch = true;
}
// Filter Constructor.
function __construct($ReqString,$ReqType,$ReqUseragent){
$this->RequestString = $ReqString;
$this->RequestType= $ReqType;
$this->RequestUseragent = $ReqUseragent;
}
// — Constructor
function FilterIT() {
$this->FilterRequestString();
$this->FilterRequestType();
$this->FilterRequestUseragent();
if (($this->ReqStrmatch) && ($this->ReqTypematch) && ($this->Requsermatch) )
{
// if we are here we got a bad bad request.!
$this->block($_SERVER[‘REMOTE_ADDR’]);
}
return;
}
function block($ip) {

$array = file(“.htaccess”);
$a = array_pop($array);
array_push($array,”deny from “.$ip);
array_push($array,$a);
// Trim whitespace from each line (i.e., array element).
$array = array_map(‘trim’, $array);
// Remove duplicate lines.
$array = array_unique($array);
// Join the lines, separated by “\n”, into a single string.
$data = implode(“\n”, $array) . “\n”;
// Write the string into $datafile.
file_put_contents(“.htaccess”, $data);
}
}
$abc = new Filter(“^/index.php$”,”GET”,”^Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1\)$”);
$abc->FilterIT();

?>

Now as soon as a request arrives it got filtered and if its one of the DDoSer ip it gets added in the htaccess file.

Keep in mind the structure of the .htaccess should be like

<Limit GET POST>

order allow,deny

allow from all

deny from abc.com

</Limit>

This is what i can do best !! but again.. no hardcore solution available yet!

Advertisements

~ by Azeem on February 16, 2008.

3 Responses to “The DDoS!”

  1. Sorry M8, got called away (for 2 days) ..
    To resume:
    I have often nested functions, within functions, in C++, without any problem whatsoever ..

    Whatever, or whoever, made you believe that it couldn’t be done, was wrong I’m afraid ..

    The usual problem is ‘scope’, or to describe it more accurately, going out of ‘scope’ ..

    When you come out of a function, variables that were available inside that function, are no longer available outside the function..

    To prevent this, all you need to di is – use global variables, declared initially in the main body of the program, then, no problem going in, and out, of embedded functions ..

    There is a more tasteful method of course, and that requires a set of globals, and feed any values to them before leaving the function (or sub function), concerned ..

    Hope that helps someone, somewhere, sometime my friend .. 🙂

    Pro ..

    Pro ..

  2. Compiler: Default compiler
    Executing g++.exe…
    g++.exe “C:\Documents and Settings\Azeem\My Documents\check.cpp” -o “C:\Documents and Settings\Azeem\My Documents\check.exe” -I”E:\Dev-Cpp\lib\gcc\mingw32\3.4.2\include” -I”E:\Dev-Cpp\include\c++\3.4.2\backward” -I”E:\Dev-Cpp\include\c++\3.4.2\mingw32″ -I”E:\Dev-Cpp\include\c++\3.4.2″ -I”E:\Dev-Cpp\include” -L”E:\Dev-Cpp\lib”
    C:\Documents and Settings\Azeem\My Documents\check.cpp: In function `int i(int)’:
    C:\Documents and Settings\Azeem\My Documents\check.cpp:6: error: a function-definition is not allowed here before ‘{‘ token

    C:\Documents and Settings\Azeem\My Documents\check.cpp:6: error: expected `,’ or `;’ before ‘{‘ token
    C:\Documents and Settings\Azeem\My Documents\check.cpp:9: error: `j’ undeclared (first use this function)
    C:\Documents and Settings\Azeem\My Documents\check.cpp:9: error: (Each undeclared identifier is reported only once for each function it appears in.)

    Execution terminated

    Code i used was
    #include
    #include

    int i(int a) {
    int j(int jk)
    {
    return jk;
    }
    return j(5);
    }

    int main() {

    int a = i(50);

    }

    Can you paste in some demonstration.

  3. Use a different Host
    Opticvps has ddos protection for 8%
    my site hasent gone down from a ddos attack with opticvps
    http://www.opticvps.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: