0

Not sure if SO is the right forum, but we're in need of help and perhaps programmatic elements may comprise the final solution. Instead of downvoting, please recommend where to post this question, and we'll gladly remove this from SO. Thanks -- we just want to overcome this attack.

It seems like our ecommerce site is under attack from a botnet, causing our site to go down. We're receiving 50-100 requests per second (far surpasses normal traffic). Some requests are for outdated URLs not even normally accessible from the site.

Two questions:

1) How do we confirm if the site is under attack?

2) If the site is under attack, how can we ward off the attack and prevent future ones?

We appreciate any help or guidance anyone can offer.

We're using Tomcat 6.0. (Don't ask why. You don't want to know.)

Thanks!

Crashalot
  • 177
  • 3
  • 11

1 Answers1

1

(edit: I just saw your comment that you run Windows. This won't help you then :( )

If you can, have your network provider null-route the traffic.

You can also do something like this to limit the amount of connections per source IP:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set

This sets a limit of max 10 new connections per 60 seconds. For the specified port (ssh) this is fine, but port 80 will have to handle more under normal conditions (every image, javascript file, etc, is a connection).

You would have to experiment, but I'd start with:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set

That's assuming you're not using port 443.

Halfgaar
  • 8,534