From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 05:40:03 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29FC616A4D5 for ; Fri, 5 Dec 2003 05:40:03 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05C4043F85 for ; Fri, 5 Dec 2003 05:40:02 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1ASGBc-000Juz-UV for freebsd-questions@FreeBSD.org; Fri, 05 Dec 2003 13:40:00 +0000 Date: Fri, 5 Dec 2003 13:40:00 +0000 From: Jez Hancock To: freebsd-questions@FreeBSD.org Message-ID: <20031205134000.GA74917@users.munk.nu> Mail-Followup-To: freebsd-questions@FreeBSD.org References: <20031205130117.8C3D2A1@sandbox-rsmtp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031205130117.8C3D2A1@sandbox-rsmtp> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: ipfilter traffic blocking and tcpdump snort etc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 13:40:03 -0000 On Sat, Dec 06, 2003 at 12:01:09AM +1100, David wrote: > Maybee an upgrade of apache would be a good start?. and have a look at > mod_bandwidth and mod_dosevasive > I upgrade manually using portupgrade where necessary every weekend after the weekly periodic run. Without doubt apache is up to date - unless any changes to the ports in the last few days :P Server: Apache/1.3.29 (Unix) mod_accounting/0.5 PHP/4.3.4 mod_perl/1.28 mod_throttle/3.1.2 Gets me that something as simple as a flood of packets can just cripple a service so easily given enough bandwidth (although adding ipf rules helped a lot). I've not actually checked out mod_bandwidth, I use mod_throttle - fwiw, it's not great for multiple vhosts :( - should check that out, thanks. mod_dosevasive sounds even more interesting. Heading toward that link now... Very interesting, particularly this feature: The blacklist can/should be configured to talk to your network's firewalls and/or routers to push the attack out to the front lines, but this is not required. This is something I could do with for Exim as well :P Not sure that it would have helped last night actually - no hits were actually registered by apache during the attack from any of the attacking hosts. As I said in another post, all the packets I captured from the attacking hosts with snort during the packet attack only had the SYN flag set - it appeared to be the sheer volume of these packets to port 80 that was causing apache child procs to die rapidly in succession. The hardest part over the few hours the attack lasted was working out from the snort logs which _bad_ hosts I'd already blocked with ipf, which hosts were legit and which hosts I still had to block - over time more hosts joined in the attack. The last 20mins or so consisted of a flood from a single host I'd missed in my blocking spree! Fun and games :=P -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/