From owner-freebsd-questions@FreeBSD.ORG Sat Nov 24 15:07:43 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BEF16A418 for ; Sat, 24 Nov 2007 15:07:43 +0000 (UTC) (envelope-from zhangweiwu@realss.com) Received: from bossdog.realss.com (bossdog.realss.com [211.157.108.128]) by mx1.freebsd.org (Postfix) with ESMTP id 51A7213C461 for ; Sat, 24 Nov 2007 15:07:43 +0000 (UTC) (envelope-from zhangweiwu@realss.com) Received: from localhost (unknown [127.0.0.1]) by bossdog.realss.com (Postfix) with ESMTP id 7D36B1C0033 for ; Sat, 24 Nov 2007 22:35:05 +0800 (CST) Received: from bossdog.realss.com ([127.0.0.1]) by localhost (bossdog.realss.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00706-13 for ; Sat, 24 Nov 2007 22:35:04 +0800 (CST) Received: from [10.0.0.3] (unknown [123.118.173.164]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bossdog.realss.com (Postfix) with ESMTP id ECDFB1C0023 for ; Sat, 24 Nov 2007 22:35:03 +0800 (CST) Message-ID: <47483686.3030400@realss.com> Date: Sat, 24 Nov 2007 22:34:46 +0800 From: Zhang Weiwu User-Agent: Thunderbird 1.5.0.14pre (X11/20071023) MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at bossdog.realss.com Subject: how to fight concurrent connection DOS attack to FreeBSD ftpd? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 15:07:43 -0000 Dear all I run a ftp site which is being attacked by someone who issue some 1000 concurrent connection for downloading as anonymous. How can I fight back? The behaviour is like this: after '#/etc/rc.d/ftpd start', the number of ftpd process goes to several thousands. ps told me they are all accessed from the same user. I read the manual and found ftpd.conf(5) says /etc/ftpd.conf is the configuration file for ftpd(8). But creating /etc/ftpd.conf with "limit all 10" doesn't help (system behaviour the same), seems ftpd ignored the configuration file. I worry if ftpd.conf is REALLY the configuration of ftpd? because ftpd.conf is not mentioned in ftpd(8) manual page. Usually the configuration file of a daemon is always mentioned in the daemon manual page. If ftpd.conf is not the right manual page to read, can you suggest which configuration manual to read to fight back this attack? Thanks in advance! Here is the diagnostic output after ftpd started 3 seconds: [root@exupery /home/zhangweiwu]# ps ax | grep ftpd 2028 ?? Ss 0:00.06 /usr/libexec/ftpd -D -l8 2035 ?? D 0:01.63 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨ 2043 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2044 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2045 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2048 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2049 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2050 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2051 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2052 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2053 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2055 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2057 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2059 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2063 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2065 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2069 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2070 ?? S 0:00.04 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2071 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2072 ?? S 0:00.04 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2074 ?? S 0:00.04 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2077 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd) 2080 ?? S 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨ 2081 ?? R 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨ 2084 ?? R 0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨ -- Real Softservice Huateng Tower, Unit 1788 Jia 302 3rd area of Jinsong, Chao Yang Tel: +86 (10) 8773 0650 ext 603 Mobile: 135 9950 2413 http://www.realss.com