Hi all, first of all thanks for all your suggestions. Today (day 3 of the Attack) we decided to switch IPs - which was not the best choice at all. Right after changing the nameservers too, we had to find out that the DDos now splitted up. We faced now two DDoS Attacks. One was still whacking the old IP (on which we set up a honeypot for further investigations), while the second one attacked the new IP, simply following the DNS change. Due to customer complains we decided to ask our upstream provider to close every IP traffic to the new IP number but the one coming from local peerings, which decreased the attack to a value the server can handle easy. Sure, it is no longer available for the whole internet, but due to the fact that the content is mainly interesting for local surfer it is not such a big loss. The attack is still going on and we counted >18.000 IP numbers in the meantime, coming from all over the world. Right now scanners are tracing all that kind of traffic, which is an interesting new step in DDoS attacks because it is beyond SYN-flooding. The attacker uses definetly spoofed IP numbers because many of them are not routable - but it doesn't seem to be a compromised router, because in that case it must have been the one closest to our network. And that one is still in service while the attack was reduced (not stopped) by closing a lot of transit traffic. So still the one question is left open: How can the attacker instantiate an ESTABLISHED connection while using spoofed IPs? When I get some more informations out of our trackings, I will inform you... Thanks, Ralf Koch Roland Kuhn schrieb:
Hi!
On 27 Oct 2005, at 21:42, media Formel4 wrote:
I do have the ressources - but I'm running out of options how to use them to fight back the attackers.
The list of blocked IPs reached 10.000 in the meantime...
I'd recommend writing a small connection proxy program which listens on port 80, takes the connections and forwards only the requests which come in to the apache (running on a different port). You'd run into the 1024 filedescriptor limit, but then you can always reap the oldest 'empty' connection as soon as you reach 1000. Should work as long as the rate of these empty connection openings is not in the kHz range ;-)
But, alas, no time to code it up right now. :-(
Ciao, Roland
-- TU Muenchen, Physik-Department E18, James-Franck-Str. 85747 Garching Telefon 089/289-12592; Telefax 089/289-12570 -- A mouse is a device used to point at the xterm you want to type in. Kim Alm on a.s.r. -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P-(+) L+++ E(+) W+ !N K- w--- M + !V Y+ PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++ ------END GEEK CODE BLOCK------