Date: Fri, 5 Dec 2003 12:41:18 +0000 From: Jez Hancock <jez.hancock@munk.nu> To: freebsd-questions@FreeBSD.org Subject: Re: ipfilter traffic blocking and tcpdump snort etc Message-ID: <20031205124117.GA73137@users.munk.nu> In-Reply-To: <200312051310.20404.freebsd-questions@webteckies.org> References: <20031205002412.GA37507@users.munk.nu> <20031205.103353.985d01b49b9f3980.10.0.3.9@bugsgrief.net> <20031205105839.GC65445@users.munk.nu> <200312051310.20404.freebsd-questions@webteckies.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote: > On Friday 05 December 2003 11:58, Jez Hancock wrote: > > > Let me rephrase that one :P I meant is there a method - for example > > such as adding some kind of routing via arp - so that packets are > > dropped on the floor even quicker than they would be via the firewall > > method? > > You could bind the ip's to the loopback interface, but I think the firewall > setup is quicker. Interesting(!) idea but kind of does the DOS'ers job for 'em! I'm really curious as to what type of attack it actually was. Right now I know: - it was aimed at a single address on port 80 - global apache errorlog was relatively quiet in the run up to the exhaustion of apache with only a small hint that a larger number of requests were being made: [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 146 total children [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients setting, consider raising the MaxClients setting [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit signal Segmentation fault (11) <snip same error log line repeated around 4,500 times!> [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit signal Segmentation fault (11) [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 17 total children note the 5min gap between the server reaching the MaxClients setting and the server collapsing with no err log entries in between - no HTTP requests were logged by apache from any of the dozen or so attacking hosts - snort captured only SYN packets from the attacking hosts (I suppose this explains why no requests were logged by apache) - all the attacking hosts had both port 25 and 80 open, although none of those hosts accepted inbound connections to those ports Would appear someone had control over a few zombie hosts and was able to coordinate a distributed attack - thankfully it was only a dozen or so hosts :P -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031205124117.GA73137>