DDOS problem from Bangkok, Thailand

[Volker]

On 03/06/08 11:58, kamolpat at dmaccess.net wrote:
> Dear Security team,
> 
> I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the
> problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the
> present, I decide to stop apache and leave only mail feature on
> functioning. Any guide/recommend/solution will be appreciated.
> 
> More detail about my server:
> ======================
> FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20
> 
> 
> php.ini
> ======
> ;;;;;;;;;;;;;;;;;;;
> ; Resource Limits ;
> ;;;;;;;;;;;;;;;;;;;
> 
> max_execution_time = 30     ; Maximum execution time of each script, in
> seconds
> max_input_time = 60     ; Maximum amount of time each script may spend
> parsing r
> memory_limit = 32M   (at the beginning it is 8M, I change to 32MB since
> the cause of httpd-error.log, however, it still the error as the
> following showed on httpd-error.log
> 
> 
> FILE:/var/log/httpd-error.log
> =====================
> Allowed memory size of 33554432 bytes exhausted ....  happend like this
> all over  the log
> 
> Thanks in Advanced,
> Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd.

Kamolpat,

without being a member of the secteam, I like to jump in here.

${subject} contains "DDoS" but I don't see any signs of a DDoS from what
you're describing. Sure it might be a DoS attack but that needs
carefully inspection of your log file (look for specially crafted URLs
being requested).

To me, exhausted memory situations are more likely looking like
application problems (read as: bad code). With just that exhausted
memory message given, it's guesswork to tell more but you may want to
check PHP's bug database.

BTW (not related to your problem), you might also want to consider
migrating to Apache 2.x as support for Apache 1.3x will end soon, IIRC.
Also FreeBSD 6.0 will be EOL'd in less then 3 months.

If you still think it's DoS attack you're seeing, you should query
upstream (either PHP or Apache folks) for help on that.

Regards,

Volker