RE: [suse-security] wildcard for reverse proxy via apache ?

Dörfler Andreas

27 Oct 2005 27 Oct '05

06:25

hi there, of corse i tried that, its basic ;), but it doesnt work greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \

...

-----Original Message----- From: Alexander.Kessinger@HelvetiaPatria.ch [mailto:Alexander.Kessinger@... Sent: Tuesday, October 25, 2005 12:05 PM To: Dörfler Andreas Cc: suse-security@suse.com Subject: RE: [suse-security] wildcard for reverse proxy via apache ?

Yes sure, stupid :%~ Then you certainly have tried do work with the asterisk after the / ?

e.g. ProxyPass /* http://111.111.111.111/ ProxyPassReverse /* http://111.111.111.111/ ProxyPass /www/* http://111.111.111.111/ ProxyPassReverse /www/* http://111.111.111.111/

Greetz Alex

Show replies by date

media Formel4

27 Oct 27 Oct

13:20

New subject: Under DDoS Attack...

Hi list, right now we're experiencing a (for me) very uncommon DDoS attack against one of our webservers. Looking with netstat we find hundreds of established connections to our Apache webserver, but nothing in the logs - which means the attacker opens up a connection (not only a SYN request as in SYN flood attacks) and then blocks the Apache child until it hits timeout. This attack comes from thousands of IP numbers (bots?) all over the world. Question is: - Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN". - How can I secure this server and/or stop this attack? Thanks, Ralf Koch

Randall R Schulz

14:00

New subject: [suse-security] Under DDoS Attack...

Ralf, You should not use your mail client's "reply" function to start a new topic thread. On Thursday 27 October 2005 06:20, media Formel4 wrote:

...

Hi list,

right now we're experiencing a (for me) very uncommon DDoS attack against one of our webservers. Looking with netstat we find hundreds of established connections to our Apache webserver, but nothing in the logs - which means the attacker opens up a connection (not only a SYN request as in SYN flood attacks) and then blocks the Apache child until it hits timeout. This attack comes from thousands of IP numbers (bots?) all over the world.

Question is:

- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN".

Spoofing IPs probably isn't required. You could try running traceroutes on several of the remote IPs. You'll probably find they're in different places. Nowadays there are black-hats out there who command compromised armies of always- or often-on hosts on high-speed Internet connections. When it suits their whim or their plan, they can enlist them to perform such a DDoS attack (or distributed attack).

...

- How can I secure this server and/or stop this attack?

Lower the Apache timeout?

...

Thanks,

Ralf Koch

Randall Schulz

media Formel4

14:10

New subject: [suse-security] Under DDoS Attack...

Randall R Schulz schrieb:

...

Ralf,

You should not use your mail client's "reply" function to start a new topic thread.

Wooops - sorry, my bad :-(

...

On Thursday 27 October 2005 06:20, media Formel4 wrote:

...
Hi list,

right now we're experiencing a (for me) very uncommon DDoS attack against one of our webservers. Looking with netstat we find hundreds of established connections to our Apache webserver, but nothing in the logs - which means the attacker opens up a connection (not only a SYN request as in SYN flood attacks) and then blocks the Apache child until it hits timeout. This attack comes from thousands of IP numbers (bots?) all over the world.

Question is:

- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN".

Spoofing IPs probably isn't required. You could try running traceroutes on several of the remote IPs. You'll probably find they're in different places.

Nowadays there are black-hats out there who command compromised armies of always- or often-on hosts on high-speed Internet connections. When it suits their whim or their plan, they can enlist them to perform such a DDoS attack (or distributed attack).

That's what I thought too - but trying to trace back the IPs in question I find very often unrouted areas and non-reachable (but maybe firewalled) IPs The reason I mentioned that question is that I found a group of 300 IPs coming from an american company network. I contacted them and they stated too, that those IPs were not in use and not routed right now...

...

...
- How can I secure this server and/or stop this attack?

Lower the Apache timeout?

Which will lead into a lot of problems for all running scripts needing more than x seconds to fetch data from databases and creating the output. After restarting the webserver it takes from 15 seconds to 90 seconds to reach MaxClients... Ralf Koch

suse＠karsites.net

15:41

New subject: [suse-security] Under DDoS Attack...

Check this link out. http://www.grc.com/dos/drdos.htm If you can identify the IP addresses where the bad packets are coming from, you may be able to contact your ISP, tell them what is happening, and ask them to program their routers to stop the bad packets getting to your part of the network. HTH - Keith Roberts On Thu, 27 Oct 2005, media Formel4 wrote:

...

To: suse-security@suse.com From: media Formel4 Subject: [suse-security] Under DDoS Attack...

Hi list,

right now we're experiencing a (for me) very uncommon DDoS attack against one of our webservers. Looking with netstat we find hundreds of established connections to our Apache webserver, but nothing in the logs - which means the attacker opens up a connection (not only a SYN request as in SYN flood attacks) and then blocks the Apache child until it hits timeout. This attack comes from thousands of IP numbers (bots?) all over the world.

Question is:

- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN".

- How can I secure this server and/or stop this attack?

Thanks,

Ralf Koch

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

6757

Age (days ago)

6757

Last active (days ago)

List overview

Download

4 comments

4 participants

participants (4)

Dörfler Andreas
media Formel4
Randall R Schulz
suse＠karsites.net