From: Randall R Schulz (rschulzsonic.net)
Date: Thu Oct 27 2005 - 09:00:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ralf,

You should not use your mail client's "reply" function to start a new
topic thread.

On Thursday 27 October 2005 06:20, media Formel4 wrote:
> Hi list,
>
> right now we're experiencing a (for me) very uncommon DDoS attack
> against one of our webservers. Looking with netstat we find hundreds
> of established connections to our Apache webserver, but nothing in
> the logs - which means the attacker opens up a connection (not only a
> SYN request as in SYN flood attacks) and then blocks the Apache child
> until it hits timeout. This attack comes from thousands of IP numbers
> (bots?) all over the world.
>
> Question is:
>
> - Is it possible with spoofed IP numbers to establish connections to
> port 80? As far as I know you should get stuck after "SYN".

Spoofing IPs probably isn't required. You could try running traceroutes
on several of the remote IPs. You'll probably find they're in different
places.

Nowadays there are black-hats out there who command compromised armies
of always- or often-on hosts on high-speed Internet connections. When
it suits their whim or their plan, they can enlist them to perform such
a DDoS attack (or distributed attack).

> - How can I secure this server and/or stop this attack?

Lower the Apache timeout?

> Thanks,
>
> Ralf Koch

Randall Schulz

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]