dcsimg
Results 1 to 5 of 5

Thread: Preventing DOS

  1. #1
    Junior Member
    Join Date
    Aug 2004
    Posts
    2

    Preventing DOS

    I was recently DOSd. I was being hammered by 2 servers constantly.

    I upgraded apache, ftp, php, mysql, ssh, etc and blocked the two IPs the attack was coming from using iptables.

    I've been fine since, but was looking for input on preventing it from happening again.

    Here is a snippet from the access log:

    Code:
    66.139.79.12 - - [09/Aug/2004:18:41:41 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:18:41:42 -0400] "GET /memberlist.php HTTP/1.0" 206 28949 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:18:41:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:35 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:50 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:46 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:47 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:18:49 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:59 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:18:57 -0400] "GET /memberlist.php HTTP/1.0" 200 105 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:24 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:28 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:30 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:31 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:33 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:34 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:36 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:37 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:39 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:40 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:42 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:43 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:45 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:46 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:48 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:49 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:51 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:52 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:54 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:56 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:57 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:22:59 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:00 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:02 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:03 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    64.21.147.108 - - [09/Aug/2004:19:23:05 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    66.139.79.12 - - [09/Aug/2004:19:44:38 -0400] "GET /memberlist.php HTTP/1.0" 200 37493 "-" "Wget/1.8.2"
    http://forever-hack.net

    \"In /dev/null no one can hear you scream.\"

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    That's a script-based DoS -- an issue with script load using the resources available to your hardware. You could put a limit on how many hits go to a specific page, limit concurrent incoming connections, get faster/better hardware, or try and make the script as lean as possible. There are lots of possible ways to stop this type of attack.

    Just FYI, this is rather primitive, and likely wouldn't work if the script was very simple.
    It also took very little to launch:
    while true; do wget --spider www.yoursite.com/memberlist.php ; done
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?