Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Dec 2003 13:40:00 +0000
From:      Jez Hancock <jez.hancock@munk.nu>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: ipfilter traffic blocking and tcpdump snort etc
Message-ID:  <20031205134000.GA74917@users.munk.nu>
In-Reply-To: <20031205130117.8C3D2A1@sandbox-rsmtp>
References:  <20031205130117.8C3D2A1@sandbox-rsmtp>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Dec 06, 2003 at 12:01:09AM +1100, David wrote:
> Maybee an upgrade of apache would be a good start?.  and have a look at
> mod_bandwidth <http://www.cohprog.com/mod_bandwidth.html>; and mod_dosevasive
> <http://www.nuclearelephant.com/projects/dosevasive/>;
I upgrade manually using portupgrade where necessary every weekend after
the weekly periodic run.  Without doubt apache is up to date - 
unless any changes to the ports in the last few days :P

Server: Apache/1.3.29 (Unix) mod_accounting/0.5 PHP/4.3.4 mod_perl/1.28
mod_throttle/3.1.2

Gets me that something as simple as a flood of packets can just
cripple a service so easily given enough bandwidth (although adding ipf
rules helped a lot).

I've not actually checked out mod_bandwidth, I use mod_throttle - fwiw,
it's not great for multiple vhosts :( - should check that out, thanks.

mod_dosevasive sounds even more interesting.  Heading toward that link
now...

Very interesting, particularly this feature:

	The blacklist can/should be configured to talk to your network's
	firewalls and/or routers to push the attack out to the front lines, but
	this is not required.

This is something I could do with for Exim as well :P

Not sure that it would have helped last night actually - no hits
were actually registered by apache during the attack from any of the
attacking hosts.  As I said in another post, all the packets I captured
from the attacking hosts with snort during the packet attack only had the SYN
flag set - it appeared to be the sheer volume of these packets to port
80 that was causing apache child procs to die rapidly in succession.

The hardest part over the few hours the attack lasted was working out
from the snort logs which _bad_ hosts I'd already blocked with ipf, which
hosts were legit and which hosts I still had to block  - over time more
hosts joined in the attack.  The last 20mins or so consisted of a flood
from a single host I'd missed in my blocking spree!

Fun and games :=P

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031205134000.GA74917>