Date: Mon, 9 Sep 2002 23:13:20 -0500 From: "Charles Pelletier" <fozekizer@attbi.com> To: <freebsd-questions@FreeBSD.ORG> Subject: Re: Content-based web filtering? Message-ID: <004501c25880$660de500$32040101@hume> References: <DC32C8CEB3F8D311B6B5009027DE5AD5046FA9DB@stlmail.dra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
But... if it is indeed a smurf attack which is occuring, then there is IP masking occuring as well and he could spend days trying to block all the IPs from whence the attacks are coming. a suggestion: a DMZ might be in order. A friend of mine recently set up a DMZ in which, the attacker, if he got through the first (very weak) firewall, was routed immediately to a 486 SX with almost no RAM and nothing special on it. Mean but effective. So, anyways, a DMZ, especially since you are running "controversial" sites. --charlie pelletier --litmus(mp3.com/litmus) ----- Original Message ----- From: "Eric Six" <erics@sirsi.com> To: "'Kim Scarborough'" <sluggo@unknown.nu>; <freebsd-questions@FreeBSD.ORG> Sent: Monday, September 09, 2002 12:49 PM Subject: RE: Content-based web filtering? > > Are these attacks coming from the same hosts? Or are they from different > places? Are they all port 80 attacks? If these are all standard http get > requests, there is no way in particular to filter them that I know of. Last > time this happened to me, I blocked the hosts the requests were coming from > on my firewall (around 20 different hosts). End of problem. > > -----Original Message----- > From: Kim Scarborough [mailto:sluggo@unknown.nu] > Sent: Monday, September 09, 2002 12:38 PM > To: freebsd-questions@FreeBSD.ORG > Subject: Content-based web filtering? > > > I'm running an Apache web server on 4.6.2-RELEASE that hosts several virtual > domains. One of these is somewhat controversial, and every few days I've > been > getting a distributed denial of service attack through massive numbers of > requests for a particular file from poorly-configured proxy servers all over > the world. It doesn't affect the OS, but it does choke httpd by using up all > the available servers. > > In the past, I've blocked the DOS attacks by simply IPFW-ing out the > offending > host, but with this attack there are hundreds of hosts. What is constant, > however, are the user agent and file request strings; they are always the > same. So if there was some way to filter based on that, I'd be safe (at > least > for now). But IPFW can't do that, right? So I'd need to either find a > firewall > that will, or maybe put a small proxy server to intercept these requests and > let everything else through to Apache. > > Does anybody have any thoughts on how to deal with this? If you think one of > the two solutions above is the way to go, any software recommendations? Does > anyone have another idea altogether? I'm kinda stumped here, and the way I'm > dealing with it at the moment is to shut down the targeted site, which of > course is unacceptable. > > -------------------------------------------------------------------------- -- > Kim Scarborough http://www.unknown.nu/kim/ > -------------------------------------------------------------------------- -- > "Football combines the two worst features of American life: violence and > committee meetings." > -George Will > -------------------------------------------------------------------------- -- > Now listening to: Raymond Scott - "The Happy Whistler" > -------------------------------------------------------------------------- -- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004501c25880$660de500$32040101>