Dos Attack!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • mailman
    Confirmed User
    • Mar 2001
    • 6311

    #1

    Dos Attack!

    i need really good Unix admin..

    one of my sites is getting hit with a DOS attack and my guy cant figure it out.. contact me if you think you can help!
  • juicylinks
    So Fucking Banned
    • Apr 2001
    • 122992

    #2
    oh oh spaghetttttttti o'ssssssssssssssssss

    Comment

    • cezam
      Confirmed User
      • Jun 2003
      • 1363

      #3
      what kind of dos? i've been trying to filter large synflood to one of my servers last few hours...

      Comment

      • mailman
        Confirmed User
        • Mar 2001
        • 6311

        #4
        im getting this...

        it doesn't crash.........someone is throwing a DoS style attack at it, trying to open connection on ports that are not listening

        get this error in log
        /kernel: Limiting closed port RST response from 265 to 200 packets per second Aug 4 21:49:31 /kernel: Limiting closed port RST response from 239 to 200 packets per second Aug 4 21:49:32 /kernel: Limiting closed port RST response from 230 to 200 packets per second Aug 4 21:49:33 /kernel: Limiting closed port RST response from 249 to 200 packets per second Aug 4 21:49:34 /kernel: Limiting closed port RST response from 285 to 200 packets per second Aug 4 21:49:36 /kernel: Limiting closed port RST response from 268 to 200 packets per second Aug 4 21:49:37 /kernel: Limiting closed port RST response from 232 to 200 packets per second Aug 4 21:49:38 /kernel: Limiting closed port RST response from 214 to 200 packets per second Aug 4 21:49:39 /kernel: Limiting closed port RST response from 233 to 200 packets per second Aug 4 21:49:40 /kernel: Limiting closed port RST response from 302 to 200 packets per second Aug 4 21:49:42 /kernel: Limiting closed port RST response from 210 to 200 packets per second Aug 4 21:49:43 /kernel: Limiting closed port RST response from 269 to 200 packets per second Aug 4 21:49:46 /kernel: Limiting closed port RST response from 306 to 200 packets per second Aug 4 21:49:48 /kernel: Limiting closed port RST response from 204 to 200 packets per second Aug 4 21:49:49 /kernel: Limiting closed port RST response from 270 to 200 packets per second Aug 4 21:49:50 /kernel: Limiting closed port RST response from 217 to 200 packets per second Aug 4 21:49:51 /kernel: Limiting closed port RST response from 209 to 200 packets per second Aug 4 21:49:52 /kernel: Limiting closed port RST response from 325 to 200 packets per second Aug 4 21:49:53 /kernel: Limiting closed port RST response from 211 to 200 packets per second Aug 4 21:49:54 /kernel: Limiting closed port RST response from 201 to 200 packets per second

        Comment

        • mailman
          Confirmed User
          • Mar 2001
          • 6311

          #5
          Originally posted by juicylinks
          oh oh spaghetttttttti o'ssssssssssssssssss

          Comment

          • juicylinks
            So Fucking Banned
            • Apr 2001
            • 122992

            #6
            I didnt know it was your site, ill stop it in a minute

            Comment

            • mailman
              Confirmed User
              • Mar 2001
              • 6311

              #7
              Originally posted by juicylinks
              I didnt know it was your site, ill stop it in a minute

              i wish!...

              Comment

              • juicylinks
                So Fucking Banned
                • Apr 2001
                • 122992

                #8
                what site is it and have you made any enemies recently?

                Detective Guido is on the case

                Comment

                • cezam
                  Confirmed User
                  • Jun 2003
                  • 1363

                  #9
                  let me guess.. you got a Freebsd system right?

                  your system is responding to SYN requests to closed ports with RSTs... most probably someone is syn flooding you

                  if it's freebsd i can not help you, as i do not know ipfw... if it's linux, try to gather attacking ips with tcpdump and block them with iptables

                  Comment

                  • mailman
                    Confirmed User
                    • Mar 2001
                    • 6311

                    #10
                    Originally posted by juicylinks
                    what site is it and have you made any enemies recently?

                    Detective Guido is on the case
                    Nope.. no enemies...

                    Comment

                    • mailman
                      Confirmed User
                      • Mar 2001
                      • 6311

                      #11
                      Edit post.... nevermind...

                      Comment

                      • cezam
                        Confirmed User
                        • Jun 2003
                        • 1363

                        #12
                        ok i gotta go sleep, its 5am here.. if you will need some further help or advice you can hit me up on 232107841 when im online...

                        good nite..

                        Comment

                        • asuna
                          Confirmed User
                          • May 2002
                          • 8743

                          #13
                          told you to post on GFY

                          Comment

                          • Smegma
                            Confirmed User
                            • Feb 2002
                            • 1751

                            #14
                            If you were hosted at Jupiter this would be our problem, not yours.
                            <a href="http://www.jupiterhosting.com"><img src="http://www.jupiterhosting.com/banners/55x55.jupiter.gif" alt="" border="0" align=""></a>

                            Comment

                            • EZRhino
                              Confirmed User
                              • Jul 2003
                              • 6258

                              #15
                              Try the DOS evasive manuevers module for apache. It has workd well for me.

                              Comment

                              • res
                                Confirmed User
                                • Nov 2002
                                • 1118

                                #16
                                mailman, i have good free unix admin (efnet ircoperator), he is looking for work. Please contact me if interesting.

                                Comment

                                • JamesK
                                  hi
                                  • Jun 2002
                                  • 16731

                                  #17
                                  You can always stop atttttttttttttttttttttttttttaaackers.





                                  FEED THEM WITH BULLSHIT
                                  M3Server - NATS Hosting

                                  Comment

                                  • PowerCum
                                    CjOverkill
                                    • Apr 2003
                                    • 1328

                                    #18
                                    1) enable TCP SYN cookies
                                    2) Put iptables and work with a decent limit / burst (5 SYN per sec is more than enough)
                                    3) install snort (with the deep packet analyze patch) and make it log. or better, make iptables log or just block all the non serviced ports.
                                    4) cat snort-log-here | sort | uniq > log-uniq.txt
                                    5) less log-uniq.txt
                                    6) add a limit / burst of 1 per sec for all these IPs
                                    7) reduce the SYN timeout to 15 or 10 sec (the default is 3 minutes)
                                    8) you are done.

                                    If you do not want this thing to repeat all the days:
                                    1) install grsec
                                    2) compile a monolyte kernel
                                    3) tune the kernel via sysctl
                                    4) limit / burst in iptables to some decent value (5 syns per sec are ok for an average site this grants access to 4 new surfers every second).
                                    5) tune the SYN expire time to 15 or 10 sec
                                    6) close all non serviced ports.
                                    7) enable TCP SYN cookies
                                    8) you are done

                                    hope this helps you.

                                    If you want something more... ICQ me 171216535, but do not bother to contact me if you are on BSD. I hate BSD.
                                    CjOverkill Traffic Trading Script
                                    Free, secure and fast traffic trading script. Get your copy now

                                    Comment

                                    Working...