From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 16:00:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A8161065686 for ; Thu, 6 Mar 2008 16:00:18 +0000 (UTC) (envelope-from ady@ady.ro) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.186]) by mx1.freebsd.org (Postfix) with ESMTP id 1209A8FC5F for ; Thu, 6 Mar 2008 16:00:17 +0000 (UTC) (envelope-from ady@ady.ro) Received: by gv-out-0910.google.com with SMTP id n40so2339651gve.39 for ; Thu, 06 Mar 2008 08:00:15 -0800 (PST) Received: by 10.142.106.18 with SMTP id e18mr1331316wfc.111.1204819214074; Thu, 06 Mar 2008 08:00:14 -0800 (PST) Received: by 10.143.37.8 with HTTP; Thu, 6 Mar 2008 08:00:14 -0800 (PST) Message-ID: <78cb3d3f0803060800n22254040qcacb0aa1836f2179@mail.gmail.com> Date: Thu, 6 Mar 2008 18:00:14 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: Volker In-Reply-To: <47CFEBC6.20808@vwsoft.com> MIME-Version: 1.0 References: <47CFCE4C.7010200@dmaccess.net> <47CFEBC6.20808@vwsoft.com> X-Google-Sender-Auth: 3e50413a783a65b8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "kamolpat@dmaccess.net" , freebsd-security@freebsd.org Subject: Re: DDOS problem from Bangkok, Thailand X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 16:00:18 -0000 Hi, On Thu, Mar 6, 2008 at 3:04 PM, Volker wrote: > On 03/06/08 11:58, kamolpat@dmaccess.net wrote: > > Dear Security team, > > > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > > present, I decide to stop apache and leave only mail feature on > > functioning. Any guide/recommend/solution will be appreciated. > > > > More detail about my server: > > ====================== > > FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 > > > > > > php.ini > > ====== > > ;;;;;;;;;;;;;;;;;;; > > ; Resource Limits ; > > ;;;;;;;;;;;;;;;;;;; > > > > max_execution_time = 30 ; Maximum execution time of each script, in > > seconds > > max_input_time = 60 ; Maximum amount of time each script may spend > > parsing r > > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > > the cause of httpd-error.log, however, it still the error as the > > following showed on httpd-error.log > > > > > > FILE:/var/log/httpd-error.log > > ===================== > > Allowed memory size of 33554432 bytes exhausted .... happend like this > > all over the log > > > > Thanks in Advanced, > > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd. > > Kamolpat, > > without being a member of the secteam, I like to jump in here. > > ${subject} contains "DDoS" but I don't see any signs of a DDoS from what > you're describing. Sure it might be a DoS attack but that needs > carefully inspection of your log file (look for specially crafted URLs > being requested). > > To me, exhausted memory situations are more likely looking like > application problems (read as: bad code). With just that exhausted > memory message given, it's guesswork to tell more but you may want to > check PHP's bug database. > > Hmm, I'm wandering -- if you see a simple SYN flood attack (just opening connections without sending an HTTP request) then you should try enabling the accf_http(9) mechanism in kernel and using the " AcceptFilter http" Apache configuration. My 5 cents, Adrian Penisoara ROFUG / EnterpriseBSD