-
August 13th, 2004, 03:40 PM
#1
Junior Member
Preventing DOS
I was recently DOSd. I was being hammered by 2 servers constantly.
I upgraded apache, ftp, php, mysql, ssh, etc and blocked the two IPs the attack was coming from using iptables.
I've been fine since, but was looking for input on preventing it from happening again.
Here is a snippet from the access log:
Code:
66.139.79.12 - - [09/Aug/2004:18:41:41 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:18:41:42 -0400] "GET /memberlist.php HTTP/1.0" 206 28949 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:18:41:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:50 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:59 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:18:57 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:24 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:28 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:31 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:33 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:39 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:40 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:42 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:43 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:45 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:46 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:48 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:49 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:51 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:52 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:54 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:56 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:57 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:22:59 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:00 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:02 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:03 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
64.21.147.108 - - [09/Aug/2004:19:23:05 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
-
August 13th, 2004, 04:43 PM
#2
That's a script-based DoS -- an issue with script load using the resources available to your hardware. You could put a limit on how many hits go to a specific page, limit concurrent incoming connections, get faster/better hardware, or try and make the script as lean as possible. There are lots of possible ways to stop this type of attack.
Just FYI, this is rather primitive, and likely wouldn't work if the script was very simple.
It also took very little to launch:
while true; do wget --spider www.yoursite.com/memberlist.php ; done
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 14th, 2004, 06:11 AM
#3
Member
Installing firewall..
Try having a firewall script - which preventing DDOS attack from happening..
but i aint sure if this is the most appropriate action to be taken though..
ppls here might have better alternatives..
-
August 14th, 2004, 11:01 PM
#4
Yes, as chsh has noted there are many ways to stop this. The quickest is to blackhole the traffic coming from those IP addresses via router or FW ACLs. The second, fire up httpd.conf and look for the configs for limiting access. Offhand, I can't remember the actual lines but they are there.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 15th, 2004, 01:22 AM
#5
Well, I'm a WAN guy, so I always look to do it in hardware. Let the servers do what their supposed to do and never let the bad stuff get to it. What kind of data devices are you using? Switches, routers, firewalls, traffic-shapers, et cetera?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|