Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: "Timothy Hall" <admin@xxxxxxxxxxxx>
  • Date: Thu, 27 Oct 2005 12:08:28 -0400
  • Message-id: <s360c351.031@xxxxxxxxxxxxxxxxxxxxxx>
Owie...

>>> Markus Roth <mroth@xxxxxxxxxx> 10/27/05 12:07 PM >>>
Timothy Hall wrote:

>Hello!
>
>http://www.nuclearelephant.com/projects/mod_evasive/
>
>You may try this when you get a chance... It very well may help
prevent
>it from happening in the future...
>
>
>
if i remember it right, this just works when actual request are sent,
which is not the case.

bad luck

>Let me know how it goes...
>
>tele2win
>
>
>
>>>>media Formel4 <info@xxxxxxxxxx> 10/27/05 11:40 AM >>>
>>>>
>>>>
>Markus Roth schrieb:
>
>
>>media Formel4 wrote:
>>
>>
>>
>>>Question is:
>>>
>>>- Is it possible with spoofed IP numbers to establish connections to
>>>port 80? As far as I know you should get stuck after "SYN".
>>> I'm asking that, because tracing back the IPs in question I find
>>>very often unrouted areas and non-reachable (but maybe firewalled)
>>>
>>>
>IPs.
>
>
>>i would say no (else the school was pretty useless ;-)
>>
>>
>
>"There are more things in heaven and earth, Horatio, then are drempt of
>in your philosophy."
>
>Maybe you can send a spoofed SYN followed by a (or a dozen?) spoofed
ACK
>
>where you "guess" the correct seq_num/ack_num? I'm not sure if this is
>not possible...
>
>
>
>>>- How can I secure this server and/or stop this attack?
>>>
>>>
>>this attack is very mean and it succeeds almost always (even if you
>>
>>
>just
>
>
>>do it from a single attacking machine).
>>i would do a search on google, there are definitively others who were
>>under the same sort of attack.
>>
>>
>
>All Ideas they produce is something like "Change the IP" - which is
IMHO
>
>not a good solution, because not everything on that server is hostname
>driven...
>
>
>
>>just some thoughts about how it could be possible to protect (at least
>>
>>
>a
>
>
>>bit). maybe it's possible to let netfilters connection tracking do the
>>
>>
>
>
>
>>work for you. if you got it installed on your machine just enable it
>>
>>
>(by
>
>
>>writing a simple rule, something like "iptables -A INPUT -p tcp
>>
>>
>--dport
>
>
>>80 --state NEW,ESTABLISHED -j ACCEPT") and then set the size of the
>>connection table to some small number (check google how to do it). the
>>
>>
>
>
>
>>idea behind it is, that i assume (i didn't try it or investigated in
>>it!!) that the connection tracking will always drop the connection
>>
>>
>that
>
>
>>was the longest non active and so the connections that send something
>>should be kept alive and the "just open" sessions would be dropped.
>>
>>
>if
>
>
>>you set the number to 100 or something, the backend httpd process
>>
>>
>should
>
>
>>be protected (maybe). but take care that connection tracking doesn't
>>lock you out as it is used on all connection (not just the one you
>>
>>
>write
>
>
>>a rule for)
>>
>>
>
>That might be worth a thought. Right now I've got a script running
>checking the web server and when MaxClients is reached for more then 20

>seconds, all IPs are collected and every IP that was more then 5 times
>in that collection get blocked. I've got now a list of more then 4700
>IPs blocked and the attack is still going on...
>
>
>
>>good luck
>>
>>
>
>Thanks, guess I need it...
>
>Ralf Koch
>
>
>



< Previous Next >
List Navigation