Hosting Provided By

Re: Help Needed With DoS Attack

From: Aenn Seidhe Priest <sidhepriest(at)yandex.ru>
Date: Sun Jul 15 2007 - 11:04:28 EDT

On 15.07.2007 at 13:59 koffiejunkie wrote:

>Aenn Seidhe Priest wrote:
>> Hello,
>>
>> a webserver is under attack.
>>
>> What's required is some kind of filtering software and a firewall that
>> could do the following:
>>
>> pass only valid HTTP GET requests and block all other HTTP methods (PUT,
>> OPTIONS, CONNECT, etc.), possibly validate HTTP GET requests by matching
>to
>> local paths;
>> optionally disable HTTP 1.1 requests;
>> block excessively long URLs;
>> have an extensions whitelist/blacklist;
>
>I can't really help you with something that will do this automatically
>(although from what I've heard fail2ban might help).
>
>The quickest way to nip a DOS in the butt is check your logs and netstat
>-ntap for the offending IP and do:
>
>iptables -A INPUT -s <SOURCE_IP> -j DROP
>
>With a DDOS this becomes more difficult, but usually the average DDOSer
>have only so many zombies, and eventually you'll block them all.

Problem is, the DDoS is from several thousands (yes, thousands) IP addresses, or at least the addresses must be spoofed somewhere on a route outside the server's own network. So far the server's firewall blacklist has accumulated over 12000 IP entries.

If you speak Russian, the discussion is here:

http://moshkow.livejournal.com/25357.html

++++++++++++++++++++++++++++++++++++++++++++++++

     Not far from here, by a white sun, behind a green star, lived the

Steelypips, illustrious, industrious, and they hadn't a care: no spats in their vats, no rules, no schools, no gloom, no evil influence of the moon, no trouble from matter or antimatter -- for they had a machine, a dream of a machine, with springs and gears and perfect in every respect. And they lived with it, and on it, and under it, and inside it, for it was all they had -- first they saved up all their atoms, then they put them all together, and if one didn't fit, why they chipped at it a bit, and everything was just fine...

Stanislaw Lem, "Cyberiad"

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Sun Jul 15 10:03:24 2007

This message: [ Message body ]
Next message: Curt Howland: "Re: Root partition full"
Previous message: Roger Leigh: "Re: apsfilter: error creating directory for temporary files"
In reply to: koffiejunkie: "Re: Help Needed With DoS Attack"
Next in thread: Frank Hempel: "Re: Help Needed With DoS Attack"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Mon Jul 16 2007 - 05:36:05 EDT