Re: [suse-security] Under DDoS Attack
Hello! http://www.nuclearelephant.com/projects/mod_evasive/ You may try this when you get a chance... It very well may help prevent it from happening in the future... Let me know how it goes... tele2win
media Formel4 <info@formel4.de> 10/27/05 11:40 AM >>> Markus Roth schrieb: media Formel4 wrote:
Question is:
- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN". I'm asking that, because tracing back the IPs in question I find very often unrouted areas and non-reachable (but maybe firewalled) IPs.
i would say no (else the school was pretty useless ;-)
"There are more things in heaven and earth, Horatio, then are drempt of in your philosophy." Maybe you can send a spoofed SYN followed by a (or a dozen?) spoofed ACK where you "guess" the correct seq_num/ack_num? I'm not sure if this is not possible...
- How can I secure this server and/or stop this attack?
this attack is very mean and it succeeds almost always (even if you
just
do it from a single attacking machine). i would do a search on google, there are definitively others who were under the same sort of attack.
All Ideas they produce is something like "Change the IP" - which is IMHO not a good solution, because not everything on that server is hostname driven...
just some thoughts about how it could be possible to protect (at least
a
bit). maybe it's possible to let netfilters connection tracking do the
work for you. if you got it installed on your machine just enable it (by writing a simple rule, something like "iptables -A INPUT -p tcp --dport 80 --state NEW,ESTABLISHED -j ACCEPT") and then set the size of the connection table to some small number (check google how to do it). the
idea behind it is, that i assume (i didn't try it or investigated in it!!) that the connection tracking will always drop the connection that was the longest non active and so the connections that send something should be kept alive and the "just open" sessions would be dropped. if you set the number to 100 or something, the backend httpd process should be protected (maybe). but take care that connection tracking doesn't lock you out as it is used on all connection (not just the one you write a rule for)
That might be worth a thought. Right now I've got a script running checking the web server and when MaxClients is reached for more then 20 seconds, all IPs are collected and every IP that was more then 5 times in that collection get blocked. I've got now a list of more then 4700 IPs blocked and the attack is still going on...
good luck
Thanks, guess I need it... Ralf Koch -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Timothy Hall wrote:
Hello!
http://www.nuclearelephant.com/projects/mod_evasive/
You may try this when you get a chance... It very well may help prevent it from happening in the future...
if i remember it right, this just works when actual request are sent, which is not the case. bad luck
Let me know how it goes...
tele2win
media Formel4 <info@formel4.de> 10/27/05 11:40 AM >>>
Markus Roth schrieb:
media Formel4 wrote:
Question is:
- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN". I'm asking that, because tracing back the IPs in question I find very often unrouted areas and non-reachable (but maybe firewalled)
IPs.
i would say no (else the school was pretty useless ;-)
"There are more things in heaven and earth, Horatio, then are drempt of in your philosophy."
Maybe you can send a spoofed SYN followed by a (or a dozen?) spoofed ACK
where you "guess" the correct seq_num/ack_num? I'm not sure if this is not possible...
- How can I secure this server and/or stop this attack?
this attack is very mean and it succeeds almost always (even if you
just
do it from a single attacking machine). i would do a search on google, there are definitively others who were under the same sort of attack.
All Ideas they produce is something like "Change the IP" - which is IMHO
not a good solution, because not everything on that server is hostname driven...
just some thoughts about how it could be possible to protect (at least
a
bit). maybe it's possible to let netfilters connection tracking do the
work for you. if you got it installed on your machine just enable it
(by
writing a simple rule, something like "iptables -A INPUT -p tcp
--dport
80 --state NEW,ESTABLISHED -j ACCEPT") and then set the size of the connection table to some small number (check google how to do it). the
idea behind it is, that i assume (i didn't try it or investigated in it!!) that the connection tracking will always drop the connection
that
was the longest non active and so the connections that send something should be kept alive and the "just open" sessions would be dropped.
if
you set the number to 100 or something, the backend httpd process
should
be protected (maybe). but take care that connection tracking doesn't lock you out as it is used on all connection (not just the one you
write
a rule for)
That might be worth a thought. Right now I've got a script running checking the web server and when MaxClients is reached for more then 20 seconds, all IPs are collected and every IP that was more then 5 times in that collection get blocked. I've got now a list of more then 4700 IPs blocked and the attack is still going on...
good luck
Thanks, guess I need it...
Ralf Koch
participants (2)
-
Markus Roth -
Timothy Hall