Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Under DDoS Attack
  • From: media Formel4 <info@xxxxxxxxxx>
  • Date: Thu, 27 Oct 2005 16:23:27 +0200
  • Message-id: <4360E2DF.6070500@xxxxxxxxxx>
Hi list,

sorry for the double-post but my thread opener was in reply to another post which confuses the mailinglist structure...

####################################################################

Hi list,

right now we're experiencing a (for me) very uncommon DDoS attack
against one of our webservers. Looking with netstat we find hundreds of
established connections to our Apache webserver, but nothing in the logs
- which means the attacker opens up a connection (not only a SYN request
as in SYN flood attacks) and then blocks the Apache child until it hits
timeout. This attack comes from thousands of IP numbers (bots?) all over
the world.

Question is:

- Is it possible with spoofed IP numbers to establish connections to
port 80? As far as I know you should get stuck after "SYN".
I'm asking that, because tracing back the IPs in question I find very often unrouted areas and non-reachable (but maybe firewalled) IPs.

Also I found a group of 300 IPs coming from an american company network. I contacted them and they stated too, that those IPs were not in use and not routed right now...



- How can I secure this server and/or stop this attack?

Thanks,

Ralf Koch

< Previous Next >