[SOLVED] Re: how to fight concurrent connection DOS attack to FreeBSD ftpd?

[Zhang Weiwu]

Thank you very much for everyone helped me. As a summary:

   1. Bill Moran pointed out the mistake in ftpd.conf which should refer
      to lukemftpd (but referred to ftpd); He also suggested using
      lukemftpd in place of ftpd, but my ftpd is patched by myself and I
      prefer not to patch it again to lukemftpd (too few time now), thus
      I prefer keep using ftpd;
   2. JD Bronson suggested using pf for controlling traffic, which is
      more powerful and can solve more problems, but takes a learning curve;
   3. Quan Qiu gave an instant fix method, start ftpd from inetd.conf,
      which worked instantly solved my problem. I also need to give not
      only

      nowait/50/10

      But also

      nowait/50/10/10
          

      Because the attacker is very determined, with "nowait/50/10" he
      makes sure I got 50 connections after 5 minutes, making other
      people not able to login.


Quan Qiu wrote:
> On Nov 24, 2007 10:34 PM, Zhang Weiwu <zhangweiwu at realss.com> wrote:
>   
>> I run a ftp site which is being attacked by someone who issue some 1000
>> concurrent connection for downloading as anonymous. How can I fight back?
>>     
>
>   
>> If ftpd.conf is not the right manual page to read, can you suggest which
>> configuration manual to read to fight back this attack? Thanks in advance!
>>
>>     
>
>
> Try wrapping your ftpd using inetd. There are some limits to max child
> processes and max connections per ip in inetd.conf(5). An example for
> vsftpd:
>
> ftp     stream  tcp     nowait/50/10
>         root    /usr/local/libexec/vsftpd       vsftpd
>
> Refer to the inetd.conf(5) manpage for more.
>
>