ipfilter traffic blocking and tcpdump snort etc
Jez Hancock
jez.hancock at munk.nu
Fri Dec 5 04:41:20 PST 2003
On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote:
> On Friday 05 December 2003 11:58, Jez Hancock wrote:
>
> > Let me rephrase that one :P I meant is there a method - for example
> > such as adding some kind of routing via arp - so that packets are
> > dropped on the floor even quicker than they would be via the firewall
> > method?
>
> You could bind the ip's to the loopback interface, but I think the firewall
> setup is quicker.
Interesting(!) idea but kind of does the DOS'ers job for 'em!
I'm really curious as to what type of attack it actually was. Right now
I know:
- it was aimed at a single address on port 80
- global apache errorlog was relatively quiet in the run up to the
exhaustion of apache with only a small hint that a larger number of
requests were being made:
[Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 146 total children
[Thu Dec 4 18:47:47 2003] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit signal Segmentation fault (11)
<snip same error log line repeated around 4,500 times!>
[Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit signal Segmentation fault (11)
[Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 17 total children
note the 5min gap between the server reaching the MaxClients setting
and the server collapsing with no err log entries in between
- no HTTP requests were logged by apache from any of the dozen or so
attacking hosts
- snort captured only SYN packets from the attacking hosts (I suppose
this explains why no requests were logged by apache)
- all the attacking hosts had both port 25 and 80 open, although none of
those hosts accepted inbound connections to those ports
Would appear someone had control over a few zombie hosts and was able to
coordinate a distributed attack - thankfully it was only a dozen or so
hosts :P
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
More information about the freebsd-questions
mailing list