Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: Helio Leonardo Mota <HMota@xxxxxxxxxx>
  • Date: Fri, 28 Oct 2005 11:09:25 -0200
  • Message-id: <200510281109.33929.HMota@xxxxxxxxxx>
Hi all,

Please bear with me as I have just started to gather entropy on this thread.
As a first step I find useful to organize thoughts to bring in the gaps
between each helping mind around this issue.
So...

1) The attack
As far as I can tell the attack is characterized by invalid connections to
TCP/IP port 80 with difusely distributed origin (DDoS). Those connections are
eating up computational resources (read file descriptors) rendering the
server unusable by legitimate users. Connections eat up resources for a fixed
time when a new connection is estabilised by the attacker.

2) Defense
The pratical defensive strategy is blocking the attacker before the bad guy
hits the server process (on the webserver or ISP). Reducing time out is
considered unpractical since dynamic pages which need interaction with
databases would be impacted. The attacker is also using distributed
computational resources, which lead to the belief that reducing the timeout
would only shorten the attack loop. Hypothetically the origin IPs can be
being spoofed (unlikelly if the 3 way handshake is being completed).
As the attack is not sending any data, making a signature is very hard.
Attack has been mitigated by blocking IPs that have more than 5 connections
whenever resources reach maximum usage (MaxClients).

3) Weapons
Attacker is potentially using compromised machines over the internet where
zombies are constantly firing attacks toward the victimin.
Defensive weaponary includes firewalling, proxying or adding software layers
(mods) in front of the server process in order to identify traffic as
offending or legitimate with the smallest false-positive and false-negative
ratio.

Few questions that would be wise asking the the victim:

Q1: Do you suspect of someone that might be interested in being that evil,
and unfairlly taking you out of business?
Q2: Can you provide attack sample (namelly a tcpdump file) for investigative
purposes by this community (it is advisable that you tamper on any sensible
information)
Q3: Can you spot some kind of pattern of the offending traffic. Could this
raise the possibility of making a signature for the attack?

Some initial research rose these onto surface, which might be of some use:
http://lists.suse.com/archive/suse-security/2003-Aug/0222.html
http://dominia.org/djao/limitipconn.html
http://lists.suse.com/archive/suse-security/2003-Aug/0230.html
http://www.gotroot.com/tiki-index.php?page=Which+mod_security+rules
http://www.modsecurity.org/documentation/overview.html

Peace,
HLM

On Thursday 27 October 2005 12:23, media Formel4 wrote:
> Hi list,
>
> sorry for the double-post but my thread opener was in reply to another
> post which confuses the mailinglist structure...
>
> ####################################################################
>
> Hi list,
>
> right now we're experiencing a (for me) very uncommon DDoS attack
> against one of our webservers. Looking with netstat we find hundreds of
> established connections to our Apache webserver, but nothing in the logs
> - which means the attacker opens up a connection (not only a SYN request
> as in SYN flood attacks) and then blocks the Apache child until it hits
> timeout. This attack comes from thousands of IP numbers (bots?) all over
> the world.
>
> Question is:
>
> - Is it possible with spoofed IP numbers to establish connections to
> port 80? As far as I know you should get stuck after "SYN".
> I'm asking that, because tracing back the IPs in question I find very
> often unrouted areas and non-reachable (but maybe firewalled) IPs.
>
> Also I found a group of 300 IPs coming from an american company network.
> I contacted them and they stated too, that those IPs were not in use and
> not routed right now...
>
>
>
> - How can I secure this server and/or stop this attack?
>
> Thanks,
>
> Ralf Koch
< Previous Next >
References