Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 6 Dec 2003 00:01:09 +1100
From:      "David" <dspezialie@fastmail.com.au>
To:        "Jez Hancock" <jez.hancock@munk.nu>, <freebsd-questions@FreeBSD.org>
Subject:   RE: ipfilter traffic blocking and tcpdump snort etc
Message-ID:  <20031205130118.4F9FEA3@sandbox-rsmtp>

next in thread | raw e-mail | index | archive | help
Maybee an upgrade of apache would be a good start?.  and have a look at
mod_bandwidth <http://www.cohprog.com/mod_bandwidth.html>; and =
mod_dosevasive
<http://www.nuclearelephant.com/projects/dosevasive/>;

.

-david

> -----Original Message-----
> From: Jez Hancock [mailto:jez.hancock@munk.nu]
> Sent: Friday, 5 December 2003 23:41
> To: freebsd-questions@FreeBSD.org
> Subject: Re: ipfilter traffic blocking and tcpdump snort etc
>=20
>=20
> On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote:
> > On Friday 05 December 2003 11:58, Jez Hancock wrote:
> >=20
> > > Let me rephrase that one :P  I meant is there a method -=20
> for example
> > > such as adding some kind of routing via arp - so that packets are
> > > dropped on the floor even quicker than they would be via=20
> the firewall
> > > method?
> >=20
> > You could bind the ip's to the loopback interface, but I=20
> think the firewall=20
> > setup is quicker.
> Interesting(!) idea but kind of does the DOS'ers job for 'em!
>=20
> I'm really curious as to what type of attack it actually was.=20
>  Right now
> I know:
>=20
> - it was aimed at a single address on port 80
> - global apache errorlog was relatively quiet in the run up to the
>   exhaustion of apache with only a small hint that a larger number of
>   requests were being made:
>=20
> [Thu Dec  4 18:47:46 2003] [info] server seems busy, (you may=20
> need to increase StartServers, or Min/MaxSpareServers),=20
> spawning 8 children, there are 0 idle, and 146 total children
> [Thu Dec  4 18:47:47 2003] [error] server reached MaxClients=20
> setting, consider raising the MaxClients setting
> [Thu Dec  4 18:52:34 2003] [notice] child pid 91863 exit=20
> signal Segmentation fault (11)
> <snip same error log line repeated around 4,500 times!>
> [Fri Dec  5 00:13:04 2003] [notice] child pid 38280 exit=20
> signal Segmentation fault (11)
> [Fri Dec  5 01:35:52 2003] [info] server seems busy, (you may=20
> need to increase StartServers, or Min/MaxSpareServers),=20
> spawning 8 children, there are 0 idle, and 17 total children
>=20
>   note the 5min gap between the server reaching the MaxClients setting
>   and the server collapsing with no err log entries in between
>=20
> - no HTTP requests were logged by apache from any of the dozen or so
>   attacking hosts
>=20
> - snort captured only SYN packets from the attacking hosts (I suppose
>   this explains why no requests were logged by apache)
>  =20
> - all the attacking hosts had both port 25 and 80 open,=20
> although none of
>   those hosts accepted inbound connections to those ports
>=20
> Would appear someone had control over a few zombie hosts and=20
> was able to
> coordinate a distributed attack - thankfully it was only a dozen or so
> hosts :P
>=20
> --=20
> Jez Hancock
>  - System Administrator / PHP Developer
>=20
> http://munk.nu/
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to=20
> "freebsd-questions-unsubscribe@freebsd.org"
>=20



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031205130118.4F9FEA3>