SYN Attach – 6 Months – Thousands Of Request A Second – Maybe Hacked – Help!

[phpfreek2007]

Hi All,

 

For the last 6 months our site has been under severe brute force, syn flood attack. They keep bombarding a single URL of the server and it is xml file. They are not attacking any other URL.

 

e.g. http://www.example.com/rss123/attackedfilename.xml

 

We have removed the xml page from our site but still they keep on sending requests, this is for the last 6 months non stop.

 

The IP has been changed just to see and they are sending several thousand requests per second. The requests come from different IPS and different ranges, so you can not even block the IP’s.  They seem to be coming from a legitimate IP’s.

 

Due to this I have had to pay for an extremely expensive server which holds 8 GB of RAM and quad core processor etc, however, even with this the server still reaches critical level, just because these requests are eating up my resources.

 

Our technical team has been working on all aspects of apache server security, external modules, firewall, hardware firewall from beginning but still we are not able to stop them.

 

We have installed following modules.

 

1) mod_security

2) mod_evasive

3) Firewall

 

We have worked with the hosting company and their technical team leader, he installed the best CISCO hardware firewall and tried to stop them, but in vain.

 

We have checked our server to see if anything from our site is causing the request, no extra file uploaded on to the server. For example if some file has been upload or some text has been added to the file (checked if we’ve been hacked). Even though we checked for any hacks, I am still wondering if there is something we do not know about.  Can a hack lead to huge amounts of traffic?

 

We need some help to stop these attacks.  We have searched a lot and have found that sites that get attacked like this have only one option is to shut down till it stops.  I really hope that will not be the case for us.  Please let us know if any one has any ideas to deal with this.

 

We are willing to try any small suggestion which might help from coding to scripting to modules to firewall. So please provide suggestion/solutions and way to get us out of this.

 

Also could it be our own part of php code which can do this? We are ready to check every php file to make sure it does not have any line of code which can be dangerous?

 

Thank you for your help in advance!  Help!

 

Regards,

 

Sam

[dreamwest]

I find it entertaining when ppl try to hack my site, for me its chess

 

Theres lots of things you can do, first use http referer to check what address the bot is coming from

 

  $ip_address = $_SERVER['REMOTE_ADDR'];
  $referer = $_SERVER['HTTP_REFERER'];

 

This will give you some info of whats happening, store this in a database so you can review the most evil ips. Then use one of the many tricks to play with them, send them to a hackers site to get there server infected or wherever you feel like

[agallo]

Do you have any kind of hardware firewall installed?