27 Oct
2005
27 Oct
'05
17:08
Another suggestion... "I don't think that works out. Whenever I might send a FIN - what prevents my Apache from being attacked from the same bot after seconds again?" You mentioned that it happening from the same bot(s) again and again... Am I wrong? If you are able to produce a list using netstat and output it into a text file, you may then be able to narrow down networks from which the attack is originating. Afterwards, you can contact your upstream ISP and they will be more than happy to block the rogue traffic from reaching your network. They are quite happy to work with folks on things such as this as very often the traffic also effects others that they host services for by simply 'busying' things up with useless traffic... good luck!!! >>> Syv Ritch <suse@911networks.com> 10/27/05 12:51 PM >>> media Formel4 wrote: > - Is it possible with spoofed IP numbers to establish connections to > port 80? As far as I know you should get stuck after "SYN". > I'm asking that, because tracing back the IPs in question I find very > often unrouted areas and non-reachable (but maybe firewalled) IPs. > > Also I found a group of 300 IPs coming from an american company network. > I contacted them and they stated too, that those IPs were not in use and > not routed right now... > > > > - How can I secure this server and/or stop this attack? I think that you are looking at wrong point. Preventing a DDOS is not the job of the web server, but the job of the router/firewall. "Real routers/firewalls" will deal easily with these problems. - No spoofing of IPs through validation where the packet comes from... - No fragmented packets - Limit the number of open/unfinished connections... Cisco Pix 501, 515... depending on size and volumes Cisco 1811... Not cheap but when configured properly, guaranteed to work. -- Thanks http://www.911networks.com When the network has to work Cisco/Microsoft -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here