ipfilter traffic blocking and tcpdump snort etc
David
dspezialie at fastmail.com.au
Fri Dec 5 05:01:29 PST 2003
Maybee an upgrade of apache would be a good start?. and have a look at
mod_bandwidth <http://www.cohprog.com/mod_bandwidth.html> and mod_dosevasive
<http://www.nuclearelephant.com/projects/dosevasive/>
.
-david
> -----Original Message-----
> From: Jez Hancock [mailto:jez.hancock at munk.nu]
> Sent: Friday, 5 December 2003 23:41
> To: freebsd-questions at FreeBSD.org
> Subject: Re: ipfilter traffic blocking and tcpdump snort etc
>
>
> On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote:
> > On Friday 05 December 2003 11:58, Jez Hancock wrote:
> >
> > > Let me rephrase that one :P I meant is there a method -
> for example
> > > such as adding some kind of routing via arp - so that packets are
> > > dropped on the floor even quicker than they would be via
> the firewall
> > > method?
> >
> > You could bind the ip's to the loopback interface, but I
> think the firewall
> > setup is quicker.
> Interesting(!) idea but kind of does the DOS'ers job for 'em!
>
> I'm really curious as to what type of attack it actually was.
> Right now
> I know:
>
> - it was aimed at a single address on port 80
> - global apache errorlog was relatively quiet in the run up to the
> exhaustion of apache with only a small hint that a larger number of
> requests were being made:
>
> [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may
> need to increase StartServers, or Min/MaxSpareServers),
> spawning 8 children, there are 0 idle, and 146 total children
> [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients
> setting, consider raising the MaxClients setting
> [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit
> signal Segmentation fault (11)
> <snip same error log line repeated around 4,500 times!>
> [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit
> signal Segmentation fault (11)
> [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may
> need to increase StartServers, or Min/MaxSpareServers),
> spawning 8 children, there are 0 idle, and 17 total children
>
> note the 5min gap between the server reaching the MaxClients setting
> and the server collapsing with no err log entries in between
>
> - no HTTP requests were logged by apache from any of the dozen or so
> attacking hosts
>
> - snort captured only SYN packets from the attacking hosts (I suppose
> this explains why no requests were logged by apache)
>
> - all the attacking hosts had both port 25 and 80 open,
> although none of
> those hosts accepted inbound connections to those ports
>
> Would appear someone had control over a few zombie hosts and
> was able to
> coordinate a distributed attack - thankfully it was only a dozen or so
> hosts :P
>
> --
> Jez Hancock
> - System Administrator / PHP Developer
>
> http://munk.nu/
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list