Preventing DOS
Results 1 to 5 of 5

Thread: Preventing DOS

  1. #1
    Junior Member
    Join Date
    Aug 2004
    Posts
    2

    Preventing DOS

    I was recently DOSd. I was being hammered by 2 servers constantly.

    I upgraded apache, ftp, php, mysql, ssh, etc and blocked the two IPs the attack was coming from using iptables.

    I've been fine since, but was looking for input on preventing it from happening again.

    Here is a snippet from the access log:

    Code:
    66.139.79.12 - - [09/Aug/2004:18:41:41 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:18:41:42 -0400] "GET /memberlist.php HTTP/1.0" 206 28949 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:18:41:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:50 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:59 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:57 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:24 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:28 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:31 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:33 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:39 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:40 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:42 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:43 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:45 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:46 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:48 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:49 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:51 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:52 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:54 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:56 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:57 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:59 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:00 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:02 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:03 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:05 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    http://forever-hack.net

    \"In /dev/null no one can hear you scream.\"

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    That's a script-based DoS -- an issue with script load using the resources available to your hardware. You could put a limit on how many hits go to a specific page, limit concurrent incoming connections, get faster/better hardware, or try and make the script as lean as possible. There are lots of possible ways to stop this type of attack.

    Just FYI, this is rather primitive, and likely wouldn't work if the script was very simple.
    It also took very little to launch:
    while true; do wget --spider www.yoursite.com/memberlist.php ; done
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  3. #3
    Installing firewall..
    Try having a firewall script - which preventing DDOS attack from happening..

    but i aint sure if this is the most appropriate action to be taken though..
    ppls here might have better alternatives..

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, as chsh has noted there are many ways to stop this. The quickest is to blackhole the traffic coming from those IP addresses via router or FW ACLs. The second, fire up httpd.conf and look for the configs for limiting access. Offhand, I can't remember the actual lines but they are there.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Well, I'm a WAN guy, so I always look to do it in hardware. Let the servers do what their supposed to do and never let the bad stuff get to it. What kind of data devices are you using? Switches, routers, firewalls, traffic-shapers, et cetera?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •