Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack...
  • From: Randall R Schulz <rschulz@xxxxxxxxx>
  • Date: Thu, 27 Oct 2005 07:00:01 -0700
  • Message-id: <200510270700.01568.rschulz@xxxxxxxxx>
Ralf,

You should not use your mail client's "reply" function to start a new
topic thread.


On Thursday 27 October 2005 06:20, media Formel4 wrote:
> Hi list,
>
> right now we're experiencing a (for me) very uncommon DDoS attack
> against one of our webservers. Looking with netstat we find hundreds
> of established connections to our Apache webserver, but nothing in
> the logs - which means the attacker opens up a connection (not only a
> SYN request as in SYN flood attacks) and then blocks the Apache child
> until it hits timeout. This attack comes from thousands of IP numbers
> (bots?) all over the world.
>
> Question is:
>
> - Is it possible with spoofed IP numbers to establish connections to
> port 80? As far as I know you should get stuck after "SYN".

Spoofing IPs probably isn't required. You could try running traceroutes
on several of the remote IPs. You'll probably find they're in different
places.

Nowadays there are black-hats out there who command compromised armies
of always- or often-on hosts on high-speed Internet connections. When
it suits their whim or their plan, they can enlist them to perform such
a DDoS attack (or distributed attack).


> - How can I secure this server and/or stop this attack?

Lower the Apache timeout?


> Thanks,
>
> Ralf Koch


Randall Schulz

< Previous Next >
Follow Ups
References