Dos Attack! - GoFuckYourself.com

mailman · 08-04-2003, 07:53 PM

i need really good Unix admin..

one of my sites is getting hit with a DOS attack and my guy cant figure it out.. contact me if you think you can help!

Juicy D. Links · 08-04-2003, 07:55 PM

oh oh spaghetttttttti o'ssssssssssssssssss

cezam · 08-04-2003, 07:55 PM

what kind of dos? i've been trying to filter large synflood to one of my servers last few hours...

mailman · 08-04-2003, 07:55 PM

im getting this...

it doesn't crash.........someone is throwing a DoS style attack at it, trying to open connection on ports that are not listening

get this error in log
/kernel: Limiting closed port RST response from 265 to 200 packets per second Aug 4 21:49:31 /kernel: Limiting closed port RST response from 239 to 200 packets per second Aug 4 21:49:32 /kernel: Limiting closed port RST response from 230 to 200 packets per second Aug 4 21:49:33 /kernel: Limiting closed port RST response from 249 to 200 packets per second Aug 4 21:49:34 /kernel: Limiting closed port RST response from 285 to 200 packets per second Aug 4 21:49:36 /kernel: Limiting closed port RST response from 268 to 200 packets per second Aug 4 21:49:37 /kernel: Limiting closed port RST response from 232 to 200 packets per second Aug 4 21:49:38 /kernel: Limiting closed port RST response from 214 to 200 packets per second Aug 4 21:49:39 /kernel: Limiting closed port RST response from 233 to 200 packets per second Aug 4 21:49:40 /kernel: Limiting closed port RST response from 302 to 200 packets per second Aug 4 21:49:42 /kernel: Limiting closed port RST response from 210 to 200 packets per second Aug 4 21:49:43 /kernel: Limiting closed port RST response from 269 to 200 packets per second Aug 4 21:49:46 /kernel: Limiting closed port RST response from 306 to 200 packets per second Aug 4 21:49:48 /kernel: Limiting closed port RST response from 204 to 200 packets per second Aug 4 21:49:49 /kernel: Limiting closed port RST response from 270 to 200 packets per second Aug 4 21:49:50 /kernel: Limiting closed port RST response from 217 to 200 packets per second Aug 4 21:49:51 /kernel: Limiting closed port RST response from 209 to 200 packets per second Aug 4 21:49:52 /kernel: Limiting closed port RST response from 325 to 200 packets per second Aug 4 21:49:53 /kernel: Limiting closed port RST response from 211 to 200 packets per second Aug 4 21:49:54 /kernel: Limiting closed port RST response from 201 to 200 packets per second

mailman · 08-04-2003, 07:56 PM

Quote:

Originally posted by juicylinks
oh oh spaghetttttttti o'ssssssssssssssssss

Juicy D. Links · 08-04-2003, 07:56 PM

I didnt know it was your site, ill stop it in a minute

mailman · 08-04-2003, 07:57 PM

Quote:

Originally posted by juicylinks
I didnt know it was your site, ill stop it in a minute

i wish!...

Juicy D. Links · 08-04-2003, 07:59 PM

what site is it and have you made any enemies recently?

Detective Guido is on the case

cezam · 08-04-2003, 08:00 PM

let me guess.. you got a Freebsd system right?

your system is responding to SYN requests to closed ports with RSTs... most probably someone is syn flooding you

if it's freebsd i can not help you, as i do not know ipfw... if it's linux, try to gather attacking ips with tcpdump and block them with iptables

mailman · 08-04-2003, 08:00 PM

Quote:

Originally posted by juicylinks
what site is it and have you made any enemies recently?

Detective Guido is on the case

Nope.. no enemies...

mailman · 08-04-2003, 08:06 PM

Edit post.... nevermind...

cezam · 08-04-2003, 08:12 PM

ok i gotta go sleep, its 5am here.. if you will need some further help or advice you can hit me up on 232107841 when im online...

good nite..

asuna · 08-04-2003, 08:16 PM

told you to post on GFY

Smegma · 08-04-2003, 08:42 PM

If you were hosted at Jupiter this would be our problem, not yours.

EZRhino · 08-04-2003, 11:18 PM

Try the DOS evasive manuevers module for apache. It has workd well for me.

res · 08-05-2003, 04:36 AM

mailman, i have good free unix admin (efnet ircoperator), he is looking for work. Please contact me if interesting.

JamesK · 08-05-2003, 04:40 AM

You can always stop atttttttttttttttttttttttttttaaackers.

FEED THEM WITH BULLSHIT

PowerCum · 08-05-2003, 07:52 AM

1) enable TCP SYN cookies
2) Put iptables and work with a decent limit / burst (5 SYN per sec is more than enough)
3) install snort (with the deep packet analyze patch) and make it log. or better, make iptables log or just block all the non serviced ports.
4) cat snort-log-here | sort | uniq > log-uniq.txt
5) less log-uniq.txt
6) add a limit / burst of 1 per sec for all these IPs
7) reduce the SYN timeout to 15 or 10 sec (the default is 3 minutes)
8) you are done.

If you do not want this thing to repeat all the days:
1) install grsec
2) compile a monolyte kernel
3) tune the kernel via sysctl
4) limit / burst in iptables to some decent value (5 syns per sec are ok for an average site this grants access to 4 new surfers every second).
5) tune the SYN expire time to 15 or 10 sec
6) close all non serviced ports.
7) enable TCP SYN cookies
8) you are done

hope this helps you.

If you want something more... ICQ me 171216535, but do not bother to contact me if you are on BSD. I hate BSD.

08-04-2003, 07:53 PM	#1
mailman Confirmed User Industry Role: Join Date: Mar 2001 Location: Ontario, Canada Posts: 6,311	Dos Attack! i need really good Unix admin.. one of my sites is getting hit with a DOS attack and my guy cant figure it out.. contact me if you think you can help!

08-04-2003, 07:55 PM	#3
cezam Confirmed User Join Date: Jun 2003 Location: CZ, EU Posts: 1,363	what kind of dos? i've been trying to filter large synflood to one of my servers last few hours... __________________

08-04-2003, 08:00 PM	#9
cezam Confirmed User Join Date: Jun 2003 Location: CZ, EU Posts: 1,363	let me guess.. you got a Freebsd system right? your system is responding to SYN requests to closed ports with RSTs... most probably someone is syn flooding you if it's freebsd i can not help you, as i do not know ipfw... if it's linux, try to gather attacking ips with tcpdump and block them with iptables __________________

08-04-2003, 08:12 PM	#12
cezam Confirmed User Join Date: Jun 2003 Location: CZ, EU Posts: 1,363	ok i gotta go sleep, its 5am here.. if you will need some further help or advice you can hit me up on 232107841 when im online... good nite.. __________________

08-04-2003, 08:16 PM	#13
asuna Confirmed User Join Date: May 2002 Location: Montreal Posts: 8,743	told you to post on GFY __________________

08-04-2003, 07:55 PM	#2
Juicy D. Links So Fucking Banned Industry Role: Join Date: Apr 2001 Location: N.Y. -Long Island -- Posts: 122,992	oh oh spaghetttttttti o'ssssssssssssssssss

08-04-2003, 07:56 PM	#6
Juicy D. Links So Fucking Banned Industry Role: Join Date: Apr 2001 Location: N.Y. -Long Island -- Posts: 122,992	I didnt know it was your site, ill stop it in a minute

08-04-2003, 07:59 PM	#8
Juicy D. Links So Fucking Banned Industry Role: Join Date: Apr 2001 Location: N.Y. -Long Island -- Posts: 122,992	what site is it and have you made any enemies recently? Detective Guido is on the case

08-04-2003, 08:06 PM	#11
mailman Confirmed User Industry Role: Join Date: Mar 2001 Location: Ontario, Canada Posts: 6,311	Edit post.... nevermind...

08-04-2003, 08:42 PM	#14
Smegma Confirmed User Join Date: Feb 2002 Posts: 1,751	If you were hosted at Jupiter this would be our problem, not yours. __________________ <a href="http://www.jupiterhosting.com"><img src="http://www.jupiterhosting.com/banners/55x55.jupiter.gif" alt="" border="0" align=""></a>

08-04-2003, 11:18 PM	#15
EZRhino Confirmed User Industry Role: Join Date: Jul 2003 Location: couch Posts: 6,258	Try the DOS evasive manuevers module for apache. It has workd well for me.

08-05-2003, 04:36 AM	#16
res Confirmed User Join Date: Nov 2002 Location: Europe Posts: 1,118	mailman, i have good free unix admin (efnet ircoperator), he is looking for work. Please contact me if interesting.

08-05-2003, 04:40 AM	#17
JamesK hi Industry Role: Join Date: Jun 2002 Posts: 16,731	You can always stop atttttttttttttttttttttttttttaaackers. FEED THEM WITH BULLSHIT __________________ M3Server - NATS Hosting

08-05-2003, 07:52 AM	#18
PowerCum CjOverkill Industry Role: Join Date: Apr 2003 Location: Woldwide Posts: 1,328	1) enable TCP SYN cookies 2) Put iptables and work with a decent limit / burst (5 SYN per sec is more than enough) 3) install snort (with the deep packet analyze patch) and make it log. or better, make iptables log or just block all the non serviced ports. 4) cat snort-log-here \| sort \| uniq > log-uniq.txt 5) less log-uniq.txt 6) add a limit / burst of 1 per sec for all these IPs 7) reduce the SYN timeout to 15 or 10 sec (the default is 3 minutes) 8) you are done. If you do not want this thing to repeat all the days: 1) install grsec 2) compile a monolyte kernel 3) tune the kernel via sysctl 4) limit / burst in iptables to some decent value (5 syns per sec are ok for an average site this grants access to 4 new surfers every second). 5) tune the SYN expire time to 15 or 10 sec 6) close all non serviced ports. 7) enable TCP SYN cookies 8) you are done hope this helps you. If you want something more... ICQ me 171216535, but do not bother to contact me if you are on BSD. I hate BSD. __________________ CjOverkill Traffic Trading Script Free, secure and fast traffic trading script. Get your copy now