Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Under DDoS Attack...
  • From: media Formel4 <info@xxxxxxxxxx>
  • Date: Thu, 27 Oct 2005 15:20:33 +0200
  • Message-id: <4360D421.2070005@xxxxxxxxxx>
Hi list,

right now we're experiencing a (for me) very uncommon DDoS attack against one of our webservers. Looking with netstat we find hundreds of established connections to our Apache webserver, but nothing in the logs - which means the attacker opens up a connection (not only a SYN request as in SYN flood attacks) and then blocks the Apache child until it hits timeout. This attack comes from thousands of IP numbers (bots?) all over the world.

Question is:

- Is it possible with spoofed IP numbers to establish connections to port 80? As far as I know you should get stuck after "SYN".

- How can I secure this server and/or stop this attack?

Thanks,

Ralf Koch

< Previous Next >
Follow Ups
References