|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: DOS attack on my webserver!!!
From: Joseph Nicholas Yarbrough (nyarbrough
LURHQ.COM)Date: Tue Oct 17 2000 - 09:24:57 CDT
- Next message: Lukasz Gogolewski: "log monitoring"
- Previous message: Jim Roland: "Re: Thanks you Re: IPChains newbie and DNS queries"
- In reply to: Stephen Kreusch: "Re: DOS attack on my webserver!!!"
- Reply: Joseph Nicholas Yarbrough: "Re: DOS attack on my webserver!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I dont have the numbers handy, but I did a test on a linux box (400 mhz k6-III.) It stalled off without syncookies enabled. It was, however, able to handle nearly twice the amount of PPS with syncookies enabled.
The only reason it got to twice was because the sending system was a lower-end 133mhz.
the 133mhz was spiked through the whole test.
I wish I still had the data.
-Nick
On Tue, 17 Oct 2000, you wrote:
> Other possible solutions:
>
> 1. Enable SYN cookies if they are not already enabled. No personal
> experience so I cannot comment on its effectiveness. Anyone else using it?
> Experiences?
>
> 2. Enable TCP Intercepts on your Cisco router, or your router equivalent.
> Search for Cisco doc "Configuring TCP Intercept (Prevent Denial-of-Service
> Attacks)" or scdenial.pdf. Not sure what the Cisco IOS or hardware
> dependencies are.
>
> --- Begin extract ---
>
> In intercept mode, the software actively intercepts each incoming
> connection request (SYN) and
> responds on behalf of the server with an ACK and SYN, then waits for an ACK
> of the SYN from the
> client. When that ACK is received, the original SYN is set to the server
> and the software performs a three-way handshake with the server. When this
> is complete, the two half-connections are joined.
>
> In watch mode, connection requests are allowed to pass through the router
> to the server but are
> watched until they become established. If they fail to become established
> within 30 seconds
> (configurable with the ip tcp intercept watch-timeout command), the
> software sends a Reset to the
> server to clear up its state.
>
> --- End extract ---
>
> Either of these is probably simpler than patching the kernel.
>
> Stephen
>
>
> -----Original Message-----
> From: ksemat [mailto:ksematWAWA.EAHD.OR.UG]
> Sent: 13 October 2000 08:38
> To: FOCUS-LINUXSECURITYFOCUS.COM
> Subject: Re: DOS attack on my webserver!!!
>
>
> One other thing you could do on top of recompiling your kernel wih
> protection against syn floods is to patch it with the openwall linux
> kernel patch at http://www.openwall.com and probably for fufture safety
> download and install port sentry it can be found at
> http://www.freshmeat.net
> On Fri, 13 Oct 2000, LO GUIDICE,
>
> Yannick wrote:
> > Date: Fri, 13 Oct 2000 08:49:26 +0200
> > From: "LO GUIDICE, Yannick" <Yannick.LOGUIDICEMANE.COM>
> > Reply-To: Focus on Linux Mailing List <FOCUS-LINUXSECURITYFOCUS.COM>
> > To: FOCUS-LINUXSECURITYFOCUS.COM
> > Subject: Re: DOS attack on my webserver!!!
> >
> > You need some kind of Syn-Defender (like the one in FW1). I don't know if
> > the Linux kernel can be configured to do this, or if Ipchains can do it.
> > Take a look at the manual pages. For the syn-received connections, they
> > should disappear with connections timeouts. Or else you have to reboot
>
> your
>
> > server...
> >
> > -----Original Message-----
> > From: swamy [mailto:swamyBITS-PILANI.AC.IN]
> > Sent: jeudi 12 octobre 2000 06:00
> > To: FOCUS-LINUXSECURITYFOCUS.COM
> > Subject: DOS attack on my webserver!!!
> >
> >
> > yesterday, i couldn't give any services for genuine users of my
> > webserver.
>
> I
>
> > found nearly some 400 tcp "syn-recived" and some 100 "established" tcp
>
> port
>
> > 80 connections from a single host!
> >
> > Can some one tell me how to stop these kind of attacks or atleast how to
> > make my server get back to it's original status !!
> >
> >
> > thanx in advance,
> >
> > swamy.
> >
> >
> >
> > *************************************************************************
> >* CONFIDENTIALITY:
> > This e-mail and any files transmitted with it are confidential and
>
> intended solely for the use of the individual or entity to whom they are
> addressed. If you are not the intended recipient or the person responsible
> for delivering the e-mail to the intended recipient, you are advised that
> you have received this e-mail in error and that any use, dissemination,
> forwarding, printing or copying of this e-mail is strictly prohibited. If
> you have received this e-mail in error please notify: postmastermane.com
>
> > *************************************************************************
> >*
>
> Sematimba Noah
> ksemateahd.or.ug
- Next message: Lukasz Gogolewski: "log monitoring"
- Previous message: Jim Roland: "Re: Thanks you Re: IPChains newbie and DNS queries"
- In reply to: Stephen Kreusch: "Re: DOS attack on my webserver!!!"
- Reply: Joseph Nicholas Yarbrough: "Re: DOS attack on my webserver!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]