From owner-freebsd-security Sun Apr 2 12:19:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 84DC737B9FC for ; Sun, 2 Apr 2000 12:19:35 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id PAA70419; Sun, 2 Apr 2000 15:19:34 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id PAA26254; Sun, 2 Apr 2000 15:19:33 -0400 (EDT) Message-Id: <4.2.2.20000402151228.035846d8@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 02 Apr 2000 15:16:52 -0500 To: "System Admin" From: Mike Tancsa Subject: Re: MAJOR DDOS Cc: security@FreeBSD.ORG In-Reply-To: <200004021417660.SM00209@strictlyhosting.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:17 PM 4/2/2000 -0400, System Admin wrote: >I belive i am experiencing a major DDOS on port 80 .... 40+ Megs >inbound...... from all over, what is the fastest way to start protecting >this machine ???? and alleviate some of this traffic under 3.4 ???? I would say get in touch with your upstreams to see where all the traffic is coming from. Hopefully they have someone in their NOCs will have people around today to track down the sources of the attacks. If its all "legitimate" traffic, I dont think options ICMP_BANDLIM will help. If its all just one web site they are attacking, perhaps change the IP address for that specific site to 10.10.10.10 to protect your other sites. Make the TTL 1 second so you can quickly change it back. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message