Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: "Timothy Hall" <admin@xxxxxxxxxxxx>
  • Date: Thu, 27 Oct 2005 13:08:50 -0400
  • Message-id: <s360d178.034@xxxxxxxxxxxxxxxxxxxxxx>
Another suggestion...

"I don't think that works out. Whenever I might send a FIN - what
prevents my Apache from being attacked from the same bot after seconds
again?"

You mentioned that it happening from the same bot(s) again and again...
Am I wrong?

If you are able to produce a list using netstat and output it into a
text file, you may then be able to narrow down networks from which the
attack is originating. Afterwards, you can contact your upstream ISP
and they will be more than happy to block the rogue traffic from
reaching your network. They are quite happy to work with folks on
things such as this as very often the traffic also effects others that
they host services for by simply 'busying' things up with useless
traffic...

good luck!!!



>>> Syv Ritch <suse@xxxxxxxxxxxxxxx> 10/27/05 12:51 PM >>>
media Formel4 wrote:
> - Is it possible with spoofed IP numbers to establish connections to
> port 80? As far as I know you should get stuck after "SYN".
> I'm asking that, because tracing back the IPs in question I find
very
> often unrouted areas and non-reachable (but maybe firewalled) IPs.
>
> Also I found a group of 300 IPs coming from an american company
network.
> I contacted them and they stated too, that those IPs were not in use
and
> not routed right now...
>
>
>
> - How can I secure this server and/or stop this attack?

I think that you are looking at wrong point. Preventing a DDOS is
not the job of the web server, but the job of the
router/firewall. "Real routers/firewalls" will deal easily with
these problems.

- No spoofing of IPs through validation where the packet comes
from...
- No fragmented packets
- Limit the number of open/unfinished connections...

Cisco Pix 501, 515... depending on size and volumes
Cisco 1811...

Not cheap but when configured properly, guaranteed to work.

--
Thanks
http://www.911networks.com
When the network has to work Cisco/Microsoft

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here



< Previous Next >
List Navigation
Follow Ups