Date: Sat, 6 Dec 2003 00:01:09 +1100 From: "David" <dspezialie@fastmail.com.au> To: "Jez Hancock" <jez.hancock@munk.nu>, <freebsd-questions@FreeBSD.org> Subject: RE: ipfilter traffic blocking and tcpdump snort etc Message-ID: <20031205130118.4F9FEA3@sandbox-rsmtp>
next in thread | raw e-mail | index | archive | help
Maybee an upgrade of apache would be a good start?. and have a look at mod_bandwidth <http://www.cohprog.com/mod_bandwidth.html>; and mod_dosevasive <http://www.nuclearelephant.com/projects/dosevasive/>; . -david > -----Original Message----- > From: Jez Hancock [mailto:jez.hancock@munk.nu] > Sent: Friday, 5 December 2003 23:41 > To: freebsd-questions@FreeBSD.org > Subject: Re: ipfilter traffic blocking and tcpdump snort etc > > > On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote: > > On Friday 05 December 2003 11:58, Jez Hancock wrote: > > > > > Let me rephrase that one :P I meant is there a method - > for example > > > such as adding some kind of routing via arp - so that packets are > > > dropped on the floor even quicker than they would be via > the firewall > > > method? > > > > You could bind the ip's to the loopback interface, but I > think the firewall > > setup is quicker. > Interesting(!) idea but kind of does the DOS'ers job for 'em! > > I'm really curious as to what type of attack it actually was. > Right now > I know: > > - it was aimed at a single address on port 80 > - global apache errorlog was relatively quiet in the run up to the > exhaustion of apache with only a small hint that a larger number of > requests were being made: > > [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may > need to increase StartServers, or Min/MaxSpareServers), > spawning 8 children, there are 0 idle, and 146 total children > [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients > setting, consider raising the MaxClients setting > [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit > signal Segmentation fault (11) > <snip same error log line repeated around 4,500 times!> > [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit > signal Segmentation fault (11) > [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may > need to increase StartServers, or Min/MaxSpareServers), > spawning 8 children, there are 0 idle, and 17 total children > > note the 5min gap between the server reaching the MaxClients setting > and the server collapsing with no err log entries in between > > - no HTTP requests were logged by apache from any of the dozen or so > attacking hosts > > - snort captured only SYN packets from the attacking hosts (I suppose > this explains why no requests were logged by apache) > > - all the attacking hosts had both port 25 and 80 open, > although none of > those hosts accepted inbound connections to those ports > > Would appear someone had control over a few zombie hosts and > was able to > coordinate a distributed attack - thankfully it was only a dozen or so > hosts :P > > -- > Jez Hancock > - System Administrator / PHP Developer > > http://munk.nu/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031205130118.4F9FEA3>