Date: Sat, 6 Dec 2003 00:01:09 +1100 From: "David" <dspezialie@fastmail.com.au> To: "Jez Hancock" <jez.hancock@munk.nu>, <freebsd-questions@FreeBSD.org> Subject: RE: ipfilter traffic blocking and tcpdump snort etc Message-ID: <20031205130118.4F9FEA3@sandbox-rsmtp>
next in thread | raw e-mail | index | archive | help
Maybee an upgrade of apache would be a good start?. and have a look at mod_bandwidth <http://www.cohprog.com/mod_bandwidth.html> and = mod_dosevasive <http://www.nuclearelephant.com/projects/dosevasive/> . -david > -----Original Message----- > From: Jez Hancock [mailto:jez.hancock@munk.nu] > Sent: Friday, 5 December 2003 23:41 > To: freebsd-questions@FreeBSD.org > Subject: Re: ipfilter traffic blocking and tcpdump snort etc >=20 >=20 > On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote: > > On Friday 05 December 2003 11:58, Jez Hancock wrote: > >=20 > > > Let me rephrase that one :P I meant is there a method -=20 > for example > > > such as adding some kind of routing via arp - so that packets are > > > dropped on the floor even quicker than they would be via=20 > the firewall > > > method? > >=20 > > You could bind the ip's to the loopback interface, but I=20 > think the firewall=20 > > setup is quicker. > Interesting(!) idea but kind of does the DOS'ers job for 'em! >=20 > I'm really curious as to what type of attack it actually was.=20 > Right now > I know: >=20 > - it was aimed at a single address on port 80 > - global apache errorlog was relatively quiet in the run up to the > exhaustion of apache with only a small hint that a larger number of > requests were being made: >=20 > [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may=20 > need to increase StartServers, or Min/MaxSpareServers),=20 > spawning 8 children, there are 0 idle, and 146 total children > [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients=20 > setting, consider raising the MaxClients setting > [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit=20 > signal Segmentation fault (11) > <snip same error log line repeated around 4,500 times!> > [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit=20 > signal Segmentation fault (11) > [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may=20 > need to increase StartServers, or Min/MaxSpareServers),=20 > spawning 8 children, there are 0 idle, and 17 total children >=20 > note the 5min gap between the server reaching the MaxClients setting > and the server collapsing with no err log entries in between >=20 > - no HTTP requests were logged by apache from any of the dozen or so > attacking hosts >=20 > - snort captured only SYN packets from the attacking hosts (I suppose > this explains why no requests were logged by apache) > =20 > - all the attacking hosts had both port 25 and 80 open,=20 > although none of > those hosts accepted inbound connections to those ports >=20 > Would appear someone had control over a few zombie hosts and=20 > was able to > coordinate a distributed attack - thankfully it was only a dozen or so > hosts :P >=20 > --=20 > Jez Hancock > - System Administrator / PHP Developer >=20 > http://munk.nu/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031205130118.4F9FEA3>