From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 05:01:29 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FA2016A4D3 for ; Fri, 5 Dec 2003 05:01:29 -0800 (PST) Received: from mail.netspace.net.au (thunder.netspace.net.au [203.10.110.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0386A43F93 for ; Fri, 5 Dec 2003 05:01:26 -0800 (PST) (envelope-from dspezialie@fastmail.com.au) Received: from sandbox-rsmtp (dialup-a1-264.Melbourne.netspace.net.au [203.113.247.10]) by mail.netspace.net.au (Postfix) with SMTP id AA8D741B14 for ; Sat, 6 Dec 2003 00:01:17 +1100 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sat, 6 Dec 2003 00:01:09 +1100 From: "David" To: "Jez Hancock" , Message-Id: <20031205130118.4F9FEA3@sandbox-rsmtp> Subject: RE: ipfilter traffic blocking and tcpdump snort etc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 13:01:29 -0000 Maybee an upgrade of apache would be a good start?. and have a look at mod_bandwidth and = mod_dosevasive . -david > -----Original Message----- > From: Jez Hancock [mailto:jez.hancock@munk.nu] > Sent: Friday, 5 December 2003 23:41 > To: freebsd-questions@FreeBSD.org > Subject: Re: ipfilter traffic blocking and tcpdump snort etc >=20 >=20 > On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote: > > On Friday 05 December 2003 11:58, Jez Hancock wrote: > >=20 > > > Let me rephrase that one :P I meant is there a method -=20 > for example > > > such as adding some kind of routing via arp - so that packets are > > > dropped on the floor even quicker than they would be via=20 > the firewall > > > method? > >=20 > > You could bind the ip's to the loopback interface, but I=20 > think the firewall=20 > > setup is quicker. > Interesting(!) idea but kind of does the DOS'ers job for 'em! >=20 > I'm really curious as to what type of attack it actually was.=20 > Right now > I know: >=20 > - it was aimed at a single address on port 80 > - global apache errorlog was relatively quiet in the run up to the > exhaustion of apache with only a small hint that a larger number of > requests were being made: >=20 > [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may=20 > need to increase StartServers, or Min/MaxSpareServers),=20 > spawning 8 children, there are 0 idle, and 146 total children > [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients=20 > setting, consider raising the MaxClients setting > [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit=20 > signal Segmentation fault (11) > > [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit=20 > signal Segmentation fault (11) > [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may=20 > need to increase StartServers, or Min/MaxSpareServers),=20 > spawning 8 children, there are 0 idle, and 17 total children >=20 > note the 5min gap between the server reaching the MaxClients setting > and the server collapsing with no err log entries in between >=20 > - no HTTP requests were logged by apache from any of the dozen or so > attacking hosts >=20 > - snort captured only SYN packets from the attacking hosts (I suppose > this explains why no requests were logged by apache) > =20 > - all the attacking hosts had both port 25 and 80 open,=20 > although none of > those hosts accepted inbound connections to those ports >=20 > Would appear someone had control over a few zombie hosts and=20 > was able to > coordinate a distributed attack - thankfully it was only a dozen or so > hosts :P >=20 > --=20 > Jez Hancock > - System Administrator / PHP Developer >=20 > http://munk.nu/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20