1. Your should have following setting at the time of DDOS attack in httpd.conf:
TimeOut = 20
KeepAlive Off
MaxClients 384
MinSpareServers 20
MaxSpareServers 25
2. in /usr/local/ddos/ddos.conf
NO_OF_CONNECTIONS=20
3. You should have 7 SSH session and 1 WHM at the time of DDOS.
4. Check the domlogs to trace out a particular website for the DDOS. Use the following command to check the latest updated domlog file for the website.
ll -lt |less
5. You should keep the following command to check the DDOS.
top, access_logs, error_logs,
ps aux | grep php
check the apache status in the WHM
cd /root/nobody_check
./apachetrace
cd /tmp
ls and check suspected scripts.
6. If necessary reboot the server. This will kill the http process which is causing the DOS. When the server is up, that process will start again and at that time you can trace it and kill it.
7. You can change the permission of the suspected domain. Make the DNS changes to 127.0.0.1 . please use TTL 20 for fast dns propagation. Don’t set the redirectio for the website in httpd.conf.
8. After the DDOS attacker is trace down, don’t forget to revert back the changes make to https.conf.
9. Suspend the suspected domain and mail the client about this.
check queue by whm
if queue is high I will check queue by whm
I will scroll bottom I will see which domain is most of time or aol
If I find any I will click on id I will see his email headers so we ill get spammer.
I know all mails are not spamer in such case we will delete mails. Only
Tail –f /var/log/exim_mainlog |grep sendmail
Tail –f /var/log/exim_mainlog |grep tmp
Tail –f /var/log/exim_mainlog |grep public_html
Tail –f /var/log/exim_mainlog |grep hostname
Or
Cd /var/spool/cron
Check if someone is sending mail or bulk list.
2)check aol mails
if we find continuously mails from AOL
logged at server
check mail queue who is sending mail to AOL id check header and suspend the account.
As per apache load.
Ps auw |grep nobody
We check is there any old or bad process kill it
We check apache status.
We check access_logs
We check domlogs of domain
For control
1)cap domain name for ip limit
2)if ddos 127.0.0.1 update client
3)if accessing only one file redirect it
4)if ~access ban by mod_sec
in ddos we used following method
In DDOS ON mode usually the best setting is
/usr/local/ddos/ddos.conf
NO_OF_CONNECTIONS=100
/etc/httpd/conf/httpd.conf
Timeout =10
KeepAlive = OFF
mod_evasive = uncomment
===========================================================
In DDOS OFF mode
/usr/local/ddos/ddos.conf
NO_OF_CONNECTIONS=650
/etc/httpd/conf/httpd.conf
Timeout =50
KeepAlive = On
mod_evasive = comment
Ddos mode should be off when attack stop.
We check proc/pid too
mysqladmin processlist
if one database again and again we suspend him.