Hello, I`m recently under heavy attack from an l33t hax0r kiddie. Hes using lots of proxies to access my banner exchange (i mean real lots - hundrets and hundrets) - he was able to add new hosts faster than i was able to lock them out wit ipchains (like 10 hosts/min or so). So its ended by that i changed input policy to DENY and set ACCEPT only for lithuanian ISP`s (about 40 major subnets). But thats not solution, becouse system is now locked from outside Lithuania. However that kiddie started abusing my exchange from his real IP (an biggest ISP dial-up service). I cannot lock-out this ISP becouse i would lock 10.000 users as well. So i`m forced to monitor whats happening everytime and lock him once in a while, or server load will jump from 0.4 to 10.00 on my P-III 1Ghz host. I connot do anything in legal way - becouse we dont have anything in our law system against "l33t hax0rs", besides that isp has terrible support and monopoly, so it will probably even dont bother to respond to my requests. My question would be - is there an tool which could run with apache to automaticly lock host for some time if it tryies access system more that 10 times per minute or so? Could anybody pass me an idea how to fight against such attacks? On other hand - i remember someone once said that he has an "legal request to ISP against hackers" or so... some nice warning text to send to ISP on detection of intrusion or DoS. Could you please refer me to it? Sorry for my broken english. Hope you got the matter. P.S. Host running SuSE 7.1 with 2.2.x kernel Thanks -- Best regards, Gediminas Grigas Tel.: (2)226036; (86) 55362 Techninis direktorius Fax.: (2)627986 UAB "Dizaino kryptis" A.Jaksto 9-233, Vilnius, Lietuva 2001 mailto:gedas@kryptis.lt
My question would be - is there an tool which could run with apache to automaticly lock host for some time if it tryies access system more that 10 times per minute or so? iptables (from linux 2.4.x) supports something like that. although it is designed to prevent logs from getting filled, it can also be used to prevent DoS attacks. I'm sorry, but can't remember the name of the option right now :-( You should also use a seperate machine as firewall (if somehow possible), this would give you a better chance to prevent a DoS, because the web server wouldn't get so much load. P.S. Host running SuSE 7.1 with 2.2.x kernel I hope, you have already updated to 2.2.19 :-)
bye Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On 15-May-01 Markus Gaugusch wrote:
iptables (from linux 2.4.x) supports something like that. although it is designed to prevent logs from getting filled, it can also be used to prevent DoS attacks. I'm sorry, but can't remember the name of the option right now :-(
I think Markus was thinking of iptables -m limit --limit x/s --limit-burst y \
--syn ... .
That's a way to limit SYNs (or --state NEW?) but I think it limits SYNs in
general and not only by one host, so it would block regular connections, too,
if that limit is exceeded.
Or is there any possibility to make a rule that says "limit the SYNs from one
host but accept them from others" ?
Bjoern Engels
LANWORKS AG
---------------------------------------------
E-Mail: Bjoern Engels
On Tue, 15 May 2001, Bjoern Engels wrote:
I think Markus was thinking of iptables -m limit --limit x/s --limit-burst y \ --syn ... .
That's a way to limit SYNs (or --state NEW?) but I think it limits SYNs in general and not only by one host, so it would block regular connections, too, if that limit is exceeded. Or is there any possibility to make a rule that says "limit the SYNs from one host but accept them from others" ?
Iptables gives us more flexibility in defining filter rules, and the ability to base those rules on recent traffic, making them dynamic rather than static. This, however, opens us to another possible DoS, since it takes memory to store the state information, so by spoofing many IP addresses, the attacker can eat up your memory. Memory is finite, and even before it is exhausted, performance is degraded simply by lengthening the list of filters which must be tested. -- Rick Green "Every problem we face, was once seen as the solution to an earlier problem"
On 14-May-01 Gediminas Grigas [home] wrote:
Hello,
I`m recently under heavy attack from an l33t hax0r kiddie. Hes using lots of proxies to access my banner exchange (i mean real lots - hundrets and hundrets) - he was able to add new hosts faster than i was able to lock them out wit ipchains (like 10 hosts/min or so). [...] However that kiddie started abusing my exchange from his real IP (an biggest ISP dial-up service). I cannot lock-out this ISP becouse i would lock 10.000 users as well. So i`m forced to monitor whats happening everytime and lock him once in a while, or server load will jump from 0.4 to 10.00 on my P-III 1Ghz host. [...] Could anybody pass me an idea how to fight against such attacks? On other hand - i remember someone once said that he has an "legal request to ISP against hackers" or so... some nice warning text to send to ISP on detection of intrusion or DoS. Could you please refer me to it?
If your ISP really is so reluctant to help you fighting against DoS attacks you should first review the ISP�s user policy and look for paragraphs covering inacceptable user behaviour (spam, cracking, warez, etc.). If such paragraphs exist (and I hardly believe they don�t), note them down and use them in your complaints to your ISP. Next, you should set up some kind of intrusion detection/monitoring/sniffing tool to record the DoS attempts in detail (time and type of attack, IP address, etc.). You may find tcpdump (http://www.tcpdump.org), sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html) or snort (http://www.snort.org) usefull for this. Most of these tools come with decent documentation, so it should be not too difficult to set them up and use them. Then go and collect data of the incidents which give you trouble, compile them decently (e. g. get rid of non-attack entries) and send it to your ISP, together with a request for investigation. If your ISP does not answer your request, try and find the upstream provider for this ISP and direct your complaints to them (use the usual facilities like whois or some popular online-tool websites (like http://www.samspade.org) to find them out). Finally, take a look at http://www.cert.org/tech_tips/incident_reporting.html, at the incident forum at http://www.whitehats.com or at http://www.securityportal.com/cover/coverstory20000515.html for more information about incident handling and proper response. Good luck. [...]
Thanks -- Best regards, Gediminas Grigas Tel.: (2)226036; (86) 55362 Techninis direktorius Fax.: (2)627986 UAB "Dizaino kryptis" A.Jaksto 9-233, Vilnius, Lietuva 2001 mailto:gedas@kryptis.lt
---
Boris Lorenz
participants (5)
-
Bjoern Engels -
Boris Lorenz -
Gediminas Grigas [home] -
Markus Gaugusch -
Rick Green