Detecting botnet DDoS attacks on websites or by watching Raw Access Log on Cpanel and prevention.

In a nice day ,you discover suddenly slow to a crawl website, Or bandwidth-hungry website 1 mat.Co can quickly your website is hacked.
A simple way to detect that you are in right section on cpanel download Raw log access log to check.

If you see 1IP ( Ddos) or multiple IP (botnet) Continuous request to 1 Url (Here is the weakness of auto)
VD:
183.80.63.252 – – [13/May/2012:18:19:48 -0700] “GET /@4rum/index.php HTTP/1.1″ 403 301 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)”
183.80.63.252 – – [13/May/2012:18:19:48 -0700] “GET /@4rum/index.php HTTP/1.1″ 403 301 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)”
183.80.63.252 – – [13/May/2012:18:19:48 -0700] “GET /@4rum/index.php HTTP/1.1″ 403 301 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)”
183.80.63.252 – – [13/May/2012:18:19:48 -0700] “GET /@4rum/index.php HTTP/1.1″ 404 297 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)”
183.80.63.252 – – [13/May/2012:18:19:48 -0700] “GET /@4rum/index.php HTTP/1.1″ 403 301 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)”


If the attacker from 1 IP as above, we implement IP blocking configuration by the .htaccess file is as follows:

order allow,deny
deny from 183.80.63.252
allow from all

If you are attacked consecutively in the same place but many different IP index.php, if you only use the function blocks in the number of connections 1 minutes from 1 This IP, Sure without number, and confused with true IP members.
– You should pay attention to the user-agent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)

OK, the very same, I block it go.
– If you block all such clusters, you will see the machine using windows 5.1 (XP sp2) and use IE 6 (MSIE 6.0) wealth will not be, So you should not block all it, you take interest in its own section, here is the private part CLR 1.0.3705
OK, block it alone, use code .htaccess:

RewriteCond %{HTTP_USER_AGENT} ^ 1.0.3705
RewriteRule ^. * – [F,L]
Or
SetEnvIfNoCase User-Agent “1.0.3705” bad_bot
Order Allow,Deny
Allow from all
Deny from env=bad_bot

– If a particular site to get information get your files from a web page, Please block connections that site to your website:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://.*1-few-letter-in-domain.com [NC]
RewriteRule .* – [F]

The steps above are the basic steps to limit attacks on websites ban.Ngoai the way around,you can use the mod,plusin,script,to limit as blockscript (surcharge).Hopefully this article will be useful for you.

VN:F [1.9.22_1171]
Rating: 3.8/5 (10 votes cast)

Detecting botnet DDoS attacks on websites or by watching Raw Access Log on Cpanel and prevention., 3.8 out of 5 based on 10 ratings