how to fight concurrent connection DOS attack to FreeBSD ftpd?

Sat Nov 24 07:07:43 PST 2007

Dear all

I run a ftp site which is being attacked by someone who issue some 1000
concurrent connection for downloading as anonymous. How can I fight back?

The behaviour is like this: after '#/etc/rc.d/ftpd start', the number of
ftpd process goes to several thousands. ps told me they are all accessed
from the same user.

I read the manual and found ftpd.conf(5) says /etc/ftpd.conf is the
configuration file for ftpd(8). But creating /etc/ftpd.conf with "limit
all 10" doesn't help (system behaviour the same), seems ftpd ignored the
configuration file.

I worry if ftpd.conf is REALLY the configuration of ftpd? because
ftpd.conf is not mentioned in ftpd(8) manual page. Usually the
configuration file of a daemon is always mentioned in the daemon manual
page.

If ftpd.conf is not the right manual page to read, can you suggest which
configuration manual to read to fight back this attack? Thanks in advance!

Here is the diagnostic output after ftpd started 3 seconds:

[root at exupery /home/zhangweiwu]# ps ax | grep ftpd
 2028  ??  Ss     0:00.06 /usr/libexec/ftpd -D -l8
 2035  ??  D      0:01.63 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨
 2043  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2044  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2045  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2048  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2049  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2050  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2051  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2052  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2053  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2055  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2057  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2059  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2063  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2065  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2069  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2070  ??  S      0:00.04 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2071  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2072  ??  S      0:00.04 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2074  ??  S      0:00.04 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2077  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: QUIT \r\n (ftpd)
 2080  ??  S      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨
 2081  ??  R      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨
 2084  ??  R      0:00.03 ftpd: 222.16.60.67: anonymous/IEUser@: RETR 18_æ\M^]\M^Næ\M^V¯ç\M^I¹_浪漫æ¨

-- 
Real Softservice

Huateng Tower, Unit 1788
Jia 302 3rd area of Jinsong, Chao Yang

Tel: +86 (10) 8773 0650 ext 603
Mobile: 135 9950 2413
http://www.realss.com