Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: "Timothy Hall" <admin@xxxxxxxxxxxx>
  • Date: Thu, 27 Oct 2005 12:01:39 -0400
  • Message-id: <s360c1c4.028@xxxxxxxxxxxxxxxxxxxxxx>
Hello!

http://www.nuclearelephant.com/projects/mod_evasive/

You may try this when you get a chance... It very well may help prevent
it from happening in the future...

Let me know how it goes...

tele2win

>>> media Formel4 <info@xxxxxxxxxx> 10/27/05 11:40 AM >>>
Markus Roth schrieb:
> media Formel4 wrote:
>
>> Question is:
>>
>> - Is it possible with spoofed IP numbers to establish connections to
>> port 80? As far as I know you should get stuck after "SYN".
>> I'm asking that, because tracing back the IPs in question I find
>> very often unrouted areas and non-reachable (but maybe firewalled)
IPs.
>
>
> i would say no (else the school was pretty useless ;-)

"There are more things in heaven and earth, Horatio, then are drempt of
in your philosophy."

Maybe you can send a spoofed SYN followed by a (or a dozen?) spoofed ACK

where you "guess" the correct seq_num/ack_num? I'm not sure if this is
not possible...

>
>>
>> - How can I secure this server and/or stop this attack?
>
>
> this attack is very mean and it succeeds almost always (even if you
just
> do it from a single attacking machine).
> i would do a search on google, there are definitively others who were
> under the same sort of attack.

All Ideas they produce is something like "Change the IP" - which is IMHO

not a good solution, because not everything on that server is hostname
driven...

>
> just some thoughts about how it could be possible to protect (at least
a
> bit). maybe it's possible to let netfilters connection tracking do the

> work for you. if you got it installed on your machine just enable it
(by
> writing a simple rule, something like "iptables -A INPUT -p tcp
--dport
> 80 --state NEW,ESTABLISHED -j ACCEPT") and then set the size of the
> connection table to some small number (check google how to do it). the

> idea behind it is, that i assume (i didn't try it or investigated in
> it!!) that the connection tracking will always drop the connection
that
> was the longest non active and so the connections that send something
> should be kept alive and the "just open" sessions would be dropped.
if
> you set the number to 100 or something, the backend httpd process
should
> be protected (maybe). but take care that connection tracking doesn't
> lock you out as it is used on all connection (not just the one you
write
> a rule for)

That might be worth a thought. Right now I've got a script running
checking the web server and when MaxClients is reached for more then 20
seconds, all IPs are collected and every IP that was more then 5 times
in that collection get blocked. I've got now a list of more then 4700
IPs blocked and the attack is still going on...

> good luck

Thanks, guess I need it...

Ralf Koch

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here



< Previous Next >
List Navigation
Follow Ups