Hi all, Please bear with me as I have just started to gather entropy on this thread. As a first step I find useful to organize thoughts to bring in the gaps between each helping mind around this issue. So... 1) The attack As far as I can tell the attack is characterized by invalid connections to TCP/IP port 80 with difusely distributed origin (DDoS). Those connections are eating up computational resources (read file descriptors) rendering the server unusable by legitimate users. Connections eat up resources for a fixed time when a new connection is estabilised by the attacker. 2) Defense The pratical defensive strategy is blocking the attacker before the bad guy hits the server process (on the webserver or ISP). Reducing time out is considered unpractical since dynamic pages which need interaction with databases would be impacted. The attacker is also using distributed computational resources, which lead to the belief that reducing the timeout would only shorten the attack loop. Hypothetically the origin IPs can be being spoofed (unlikelly if the 3 way handshake is being completed). As the attack is not sending any data, making a signature is very hard. Attack has been mitigated by blocking IPs that have more than 5 connections whenever resources reach maximum usage (MaxClients). 3) Weapons Attacker is potentially using compromised machines over the internet where zombies are constantly firing attacks toward the victimin. Defensive weaponary includes firewalling, proxying or adding software layers (mods) in front of the server process in order to identify traffic as offending or legitimate with the smallest false-positive and false-negative ratio. Few questions that would be wise asking the the victim: Q1: Do you suspect of someone that might be interested in being that evil, and unfairlly taking you out of business? Q2: Can you provide attack sample (namelly a tcpdump file) for investigative purposes by this community (it is advisable that you tamper on any sensible information) Q3: Can you spot some kind of pattern of the offending traffic. Could this raise the possibility of making a signature for the attack? Some initial research rose these onto surface, which might be of some use: http://lists.suse.com/archive/suse-security/2003-Aug/0222.html http://dominia.org/djao/limitipconn.html http://lists.suse.com/archive/suse-security/2003-Aug/0230.html http://www.gotroot.com/tiki-index.php?page=Which+mod_security+rules http://www.modsecurity.org/documentation/overview.html Peace, HLM On Thursday 27 October 2005 12:23, media Formel4 wrote:
Hi list,
sorry for the double-post but my thread opener was in reply to another post which confuses the mailinglist structure...
####################################################################
Hi list,
right now we're experiencing a (for me) very uncommon DDoS attack against one of our webservers. Looking with netstat we find hundreds of established connections to our Apache webserver, but nothing in the logs - which means the attacker opens up a connection (not only a SYN request as in SYN flood attacks) and then blocks the Apache child until it hits timeout. This attack comes from thousands of IP numbers (bots?) all over the world.
Question is:
- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN". I'm asking that, because tracing back the IPs in question I find very often unrouted areas and non-reachable (but maybe firewalled) IPs.
Also I found a group of 300 IPs coming from an american company network. I contacted them and they stated too, that those IPs were not in use and not routed right now...
- How can I secure this server and/or stop this attack?
Thanks,
Ralf Koch