GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Dos Attack! (https://gfy.com/showthread.php?t=160375)

mailman 08-04-2003 07:53 PM
Dos Attack!
 
i need really good Unix admin..

one of my sites is getting hit with a DOS attack and my guy cant figure it out.. contact me if you think you can help!

Juicy D. Links 08-04-2003 07:55 PM
oh oh spaghetttttttti o'ssssssssssssssssss

cezam 08-04-2003 07:55 PM
what kind of dos? i've been trying to filter large synflood to one of my servers last few hours...

mailman 08-04-2003 07:55 PM
im getting this...

it doesn't crash.........someone is throwing a DoS style attack at it, trying to open connection on ports that are not listening

get this error in log
/kernel: Limiting closed port RST response from 265 to 200 packets per second Aug 4 21:49:31 /kernel: Limiting closed port RST response from 239 to 200 packets per second Aug 4 21:49:32 /kernel: Limiting closed port RST response from 230 to 200 packets per second Aug 4 21:49:33 /kernel: Limiting closed port RST response from 249 to 200 packets per second Aug 4 21:49:34 /kernel: Limiting closed port RST response from 285 to 200 packets per second Aug 4 21:49:36 /kernel: Limiting closed port RST response from 268 to 200 packets per second Aug 4 21:49:37 /kernel: Limiting closed port RST response from 232 to 200 packets per second Aug 4 21:49:38 /kernel: Limiting closed port RST response from 214 to 200 packets per second Aug 4 21:49:39 /kernel: Limiting closed port RST response from 233 to 200 packets per second Aug 4 21:49:40 /kernel: Limiting closed port RST response from 302 to 200 packets per second Aug 4 21:49:42 /kernel: Limiting closed port RST response from 210 to 200 packets per second Aug 4 21:49:43 /kernel: Limiting closed port RST response from 269 to 200 packets per second Aug 4 21:49:46 /kernel: Limiting closed port RST response from 306 to 200 packets per second Aug 4 21:49:48 /kernel: Limiting closed port RST response from 204 to 200 packets per second Aug 4 21:49:49 /kernel: Limiting closed port RST response from 270 to 200 packets per second Aug 4 21:49:50 /kernel: Limiting closed port RST response from 217 to 200 packets per second Aug 4 21:49:51 /kernel: Limiting closed port RST response from 209 to 200 packets per second Aug 4 21:49:52 /kernel: Limiting closed port RST response from 325 to 200 packets per second Aug 4 21:49:53 /kernel: Limiting closed port RST response from 211 to 200 packets per second Aug 4 21:49:54 /kernel: Limiting closed port RST response from 201 to 200 packets per second

mailman 08-04-2003 07:56 PM
Quote:
Originally posted by juicylinks
oh oh spaghetttttttti o'ssssssssssssssssss

:(

Juicy D. Links 08-04-2003 07:56 PM
I didnt know it was your site, ill stop it in a minute

mailman 08-04-2003 07:57 PM
Quote:
Originally posted by juicylinks
I didnt know it was your site, ill stop it in a minute

i wish!...

Juicy D. Links 08-04-2003 07:59 PM
what site is it and have you made any enemies recently?

Detective Guido is on the case

cezam 08-04-2003 08:00 PM
let me guess.. you got a Freebsd system right?

your system is responding to SYN requests to closed ports with RSTs... most probably someone is syn flooding you

if it's freebsd i can not help you, as i do not know ipfw... if it's linux, try to gather attacking ips with tcpdump and block them with iptables

mailman 08-04-2003 08:00 PM
Quote:
Originally posted by juicylinks
what site is it and have you made any enemies recently?

Detective Guido is on the case
Nope.. no enemies... :(

mailman 08-04-2003 08:06 PM
Edit post.... nevermind...

cezam 08-04-2003 08:12 PM
ok i gotta go sleep, its 5am here.. if you will need some further help or advice you can hit me up on 232107841 when im online...

good nite..

asuna 08-04-2003 08:16 PM
told you to post on GFY

Smegma 08-04-2003 08:42 PM
If you were hosted at Jupiter this would be our problem, not yours.

EZRhino 08-04-2003 11:18 PM
Try the DOS evasive manuevers module for apache. It has workd well for me.

res 08-05-2003 04:36 AM
mailman, i have good free unix admin (efnet ircoperator), he is looking for work. Please contact me if interesting.

JamesK 08-05-2003 04:40 AM
You can always stop atttttttttttttttttttttttttttaaackers.





FEED THEM WITH BULLSHIT

PowerCum 08-05-2003 07:52 AM
1) enable TCP SYN cookies
2) Put iptables and work with a decent limit / burst (5 SYN per sec is more than enough)
3) install snort (with the deep packet analyze patch) and make it log. or better, make iptables log or just block all the non serviced ports.
4) cat snort-log-here | sort | uniq > log-uniq.txt
5) less log-uniq.txt
6) add a limit / burst of 1 per sec for all these IPs
7) reduce the SYN timeout to 15 or 10 sec (the default is 3 minutes)
8) you are done.

If you do not want this thing to repeat all the days:
1) install grsec
2) compile a monolyte kernel
3) tune the kernel via sysctl
4) limit / burst in iptables to some decent value (5 syns per sec are ok for an average site this grants access to 4 new surfers every second).
5) tune the SYN expire time to 15 or 10 sec
6) close all non serviced ports.
7) enable TCP SYN cookies
8) you are done

hope this helps you.

If you want something more... ICQ me 171216535, but do not bother to contact me if you are on BSD. I hate BSD.


All times are GMT -7. The time now is 06:52 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123