Cristian Rodríguez wrote:
Were you able to obtain some clue from the apache logs ?
Nothing in error_log. But in access_log I found that someone with the same IP as in a Treason uncloaked message was surfing on our website at the same time. The user agent there is "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11". Did the attacker try if our website was already unreachable? :-) Or is it just someone with a broken router visiting our page?
The only solution I have found is blocking the IPs with a cron job that greps dmesg and then sets iptables rules.
I have added these iptables rules now: iptables -N syn-flood iptables -A INPUT -p tcp --dport 80 --syn -j syn-flood iptables -A syn-flood -m limit --limit 15/s --limit-burst 5 -j RETURN iptables -A syn-flood -m limit --limit 3/min --limit-burst 5 -j LOG --log-prefix 'SYN-FLOOD ' iptables -A syn-flood -j DROP It makes about 2000 lines in the log per day. It seems to help, because the problem with the many apache processes did not occur anymore. But I'm afraid that it filters to much.
If you know for sure that certain IPs are D.O.S'ing your systems, you should contact your ISP and the police to hunt them down.
Yes, they already informed the police. But I can not really imagine that this will help in any way :-) -- Carl Magnus Rosenbaum M.A. Administration - Programmierung - Weiterbildung http://cmr.cx/ Tel: +49 89 70066626 Fax: +49 89 70066686 Mobil: +49 163 7006662 PGP Fingerprint: DEBC 3C99 EF1D 74F0 D4C7 EFF5 C268 3690 0EA1 7641