From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 04:41:20 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE21E16A4CE for ; Fri, 5 Dec 2003 04:41:20 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46A9E43FE9 for ; Fri, 5 Dec 2003 04:41:19 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1ASFGo-000JI8-1z for freebsd-questions@FreeBSD.org; Fri, 05 Dec 2003 12:41:18 +0000 Date: Fri, 5 Dec 2003 12:41:18 +0000 From: Jez Hancock To: freebsd-questions@FreeBSD.org Message-ID: <20031205124117.GA73137@users.munk.nu> Mail-Followup-To: freebsd-questions@FreeBSD.org References: <20031205002412.GA37507@users.munk.nu> <20031205.103353.985d01b49b9f3980.10.0.3.9@bugsgrief.net> <20031205105839.GC65445@users.munk.nu> <200312051310.20404.freebsd-questions@webteckies.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200312051310.20404.freebsd-questions@webteckies.org> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: ipfilter traffic blocking and tcpdump snort etc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 12:41:20 -0000 On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote: > On Friday 05 December 2003 11:58, Jez Hancock wrote: > > > Let me rephrase that one :P I meant is there a method - for example > > such as adding some kind of routing via arp - so that packets are > > dropped on the floor even quicker than they would be via the firewall > > method? > > You could bind the ip's to the loopback interface, but I think the firewall > setup is quicker. Interesting(!) idea but kind of does the DOS'ers job for 'em! I'm really curious as to what type of attack it actually was. Right now I know: - it was aimed at a single address on port 80 - global apache errorlog was relatively quiet in the run up to the exhaustion of apache with only a small hint that a larger number of requests were being made: [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 146 total children [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients setting, consider raising the MaxClients setting [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit signal Segmentation fault (11) [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit signal Segmentation fault (11) [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 17 total children note the 5min gap between the server reaching the MaxClients setting and the server collapsing with no err log entries in between - no HTTP requests were logged by apache from any of the dozen or so attacking hosts - snort captured only SYN packets from the attacking hosts (I suppose this explains why no requests were logged by apache) - all the attacking hosts had both port 25 and 80 open, although none of those hosts accepted inbound connections to those ports Would appear someone had control over a few zombie hosts and was able to coordinate a distributed attack - thankfully it was only a dozen or so hosts :P -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/