I'm having a "legitimate" DDOS attack - Help!
He mentioned his website is a public forum with about 200 connection. Which isn't too bad for my server. But anyway, after a day of uploading his files, he finally got his site working and boy the server load jumped from 0.5 to 2.8! and everything was slow, etc. so I asked him to leave and he accepted.
Now after 4 days, his DNS has been pointing to a new server but I'm STILL getting about 200 httpd requests. here is a few:
Srv PID Acc M CPU SS Req Conn Child Slot Host VHost Request
1-11 6473 0/30/30046 G 0.44 464410 0 0.0 0.17 403.85 220.202.3.58 (unavailable) GET /bbs/thread.php?fid=56 HTTP/1.1
2-11 4522 1/101/30855 G 0.85 464326 0 0.0 0.37 400.94 61.139.72.196 (unavailable) POST /bbs/login.php? HTTP/1.1
3-11 3162 0/583/31458 G 8.87 455343 0 0.0 2.48 400.83 209.237.238.178 (unavailable) GET /bbs/read.php?tid=54673&page=e&fpage=1 HTTP/1.0
4-11 8236 0/127/31414 G 1.47 455331 0 0.0 0.42 414.61 221.236.123.54 (unavailable) GET /bbs/read.php?tid=64720&fpage=2 HTTP/1.1
7-11 6349 0/321/31389 G 3.51 455124 0 0.0 0.76 405.86 222.218.96.106 (unavailable) GET /bbs/read.php?tid=59895&fpage=1 HTTP/1.1
8-11 25685 0/617/30063 G 9.04 466277 0 0.0 2.48 404.88 221.201.16.72 (unavailable) GET /bbs/thread.php?fid=67 HTTP/1.1
9-11 26519 0/596/29566 G 8.81 466481 0 0.0 2.02 412.21 61.138.254.138 (unavailable) GET /bbs/index.php HTTP/1.1
1-11 6473 0/30/30046 G 0.44 464410 0 0.0 0.17 403.85 220.202.3.58 (unavailable) GET /bbs/thread.php?fid=56 HTTP/1.1
2-11 4522 1/101/30855 G 0.85 464326 0 0.0 0.37 400.94 61.139.72.196 (unavailable) POST /bbs/login.php? HTTP/1.1
3-11 3162 0/583/31458 G 8.87 455343 0 0.0 2.48 400.83 209.237.238.178 (unavailable) GET /bbs/read.php?tid=54673&page=e&fpage=1 HTTP/1.0
4-11 8236 0/127/31414 G 1.47 455331 0 0.0 0.42 414.61 221.236.123.54 (unavailable) GET /bbs/read.php?tid=64720&fpage=2 HTTP/1.1
7-11 6349 0/321/31389 G 3.51 455124 0 0.0 0.76 405.86 222.218.96.106 (unavailable) GET /bbs/read.php?tid=59895&fpage=1 HTTP/1.1
8-11 25685 0/617/30063 G 9.04 466277 0 0.0 2.48 404.88 221.201.16.72 (unavailable) GET /bbs/thread.php?fid=67 HTTP/1.1
9-11 26519 0/596/29566 G 8.81 466481 0 0.0 2.02 412.21 61.138.254.138 (unavailable) GET /bbs/index.php HTTP/1.1
I thought he might have used my server's IP address in his BBS settings but his website is actually down saying "under maintenance" and you cannot even access his domain/bbs/ DNS has been pointing to the new server for 4 days now.....
Can anyone suggest a solution? Anyway block these requests?
[edit] this is a cpanel/linux server [/edit]
