From owner-freebsd-security Mon Nov 19 8:13:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id 730E137B405 for ; Mon, 19 Nov 2001 08:13:31 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 165r2x-0002oa-00; Mon, 19 Nov 2001 16:13:23 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id ; Mon, 19 Nov 2001 16:13:23 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C58516989@MAGRAT> From: Lee Brotherston To: 'xmen koh' , freebsd-security@FreeBSD.ORG Subject: RE: How to stop DoS Attack?? Date: Mon, 19 Nov 2001 16:13:22 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | Recently I got a DoS on my web server. Does anyone | know how to | stop a DoS attack and prevent it from happen again? | Some help | will be appreciated to explain the below TCPDump which | I got | during the attack. When you encounter a DoS or DDoS, what can be done is largely based on the type of DoS. If it tries to use up resources of a machine my constantly requesting come processor intensive cgi on a webserver for example then some firewalling will probably suffice. If however it is the kind of attack which is designed to take up network resources, then it is a different matter. DoS's that saturate lines are seldom solved with firewalling at your end, as the likelihood is that your connection is probably already saturated by the time it reaches your firewall. The best course of action is to gather as much information as possible, and to try to get in touch with your ISP or upstream provider. Depending on their internal policies etc, they may be able to add some filters in the router that provides your connectivity, maybe even at their borders if the DoS can be traced to peering points etc. Having done this then you can attempt to get in contact with the administrators of the systems that are attacking you, and/or their upstreams in order to raise an abuse complaint, if it is relevant. Hope it's of some use Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message