From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 13:04:35 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6E0D1065671 for ; Thu, 6 Mar 2008 13:04:35 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3BDB48FC1F for ; Thu, 6 Mar 2008 13:04:34 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (F72c0.f.ppp-pool.de [195.4.114.192]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 49719128844; Thu, 6 Mar 2008 14:04:26 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 95D283F439; Thu, 6 Mar 2008 14:02:50 +0100 (CET) Message-ID: <47CFEBC6.20808@vwsoft.com> Date: Thu, 06 Mar 2008 14:04:06 +0100 From: Volker User-Agent: Thunderbird 2.0.0.12 (X11/20080305) MIME-Version: 1.0 To: "kamolpat@dmaccess.net" References: <47CFCE4C.7010200@dmaccess.net> In-Reply-To: <47CFCE4C.7010200@dmaccess.net> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1205413376.06224@woLmsBLoOM5Lz4MrDBTahw X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-security@FreeBSD.org Subject: Re: DDOS problem from Bangkok, Thailand X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 13:04:35 -0000 On 03/06/08 11:58, kamolpat@dmaccess.net wrote: > Dear Security team, > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > present, I decide to stop apache and leave only mail feature on > functioning. Any guide/recommend/solution will be appreciated. > > More detail about my server: > ====================== > FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 > > > php.ini > ====== > ;;;;;;;;;;;;;;;;;;; > ; Resource Limits ; > ;;;;;;;;;;;;;;;;;;; > > max_execution_time = 30 ; Maximum execution time of each script, in > seconds > max_input_time = 60 ; Maximum amount of time each script may spend > parsing r > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > the cause of httpd-error.log, however, it still the error as the > following showed on httpd-error.log > > > FILE:/var/log/httpd-error.log > ===================== > Allowed memory size of 33554432 bytes exhausted .... happend like this > all over the log > > Thanks in Advanced, > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd. Kamolpat, without being a member of the secteam, I like to jump in here. ${subject} contains "DDoS" but I don't see any signs of a DDoS from what you're describing. Sure it might be a DoS attack but that needs carefully inspection of your log file (look for specially crafted URLs being requested). To me, exhausted memory situations are more likely looking like application problems (read as: bad code). With just that exhausted memory message given, it's guesswork to tell more but you may want to check PHP's bug database. BTW (not related to your problem), you might also want to consider migrating to Apache 2.x as support for Apache 1.3x will end soon, IIRC. Also FreeBSD 6.0 will be EOL'd in less then 3 months. If you still think it's DoS attack you're seeing, you should query upstream (either PHP or Apache folks) for help on that. Regards, Volker