ipfilter traffic blocking and tcpdump snort etc

Jez Hancock jez.hancock at munk.nu
Fri Dec 5 04:41:20 PST 2003 

On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote:
> On Friday 05 December 2003 11:58, Jez Hancock wrote:
> 
> > Let me rephrase that one :P  I meant is there a method - for example
> > such as adding some kind of routing via arp - so that packets are
> > dropped on the floor even quicker than they would be via the firewall
> > method?
> 
> You could bind the ip's to the loopback interface, but I think the firewall 
> setup is quicker.
Interesting(!) idea but kind of does the DOS'ers job for 'em!

I'm really curious as to what type of attack it actually was.  Right now
I know:

- it was aimed at a single address on port 80
- global apache errorlog was relatively quiet in the run up to the
  exhaustion of apache with only a small hint that a larger number of
  requests were being made:

[Thu Dec  4 18:47:46 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 146 total children
[Thu Dec  4 18:47:47 2003] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Thu Dec  4 18:52:34 2003] [notice] child pid 91863 exit signal Segmentation fault (11)
<snip same error log line repeated around 4,500 times!>
[Fri Dec  5 00:13:04 2003] [notice] child pid 38280 exit signal Segmentation fault (11)
[Fri Dec  5 01:35:52 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 17 total children

  note the 5min gap between the server reaching the MaxClients setting
  and the server collapsing with no err log entries in between

- no HTTP requests were logged by apache from any of the dozen or so
  attacking hosts

- snort captured only SYN packets from the attacking hosts (I suppose
  this explains why no requests were logged by apache)
  
- all the attacking hosts had both port 25 and 80 open, although none of
  those hosts accepted inbound connections to those ports

Would appear someone had control over a few zombie hosts and was able to
coordinate a distributed attack - thankfully it was only a dozen or so
hosts :P

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/

More information about the freebsd-questions mailing list