[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Under DDoS Attack
media Formel4 wrote:
- Is it possible with spoofed IP numbers to establish connections to
port 80? As far as I know you should get stuck after "SYN".
I'm asking that, because tracing back the IPs in question I find
very often unrouted areas and non-reachable (but maybe firewalled) IPs.
i would say no (else the school was pretty useless ;-)
- How can I secure this server and/or stop this attack?
this attack is very mean and it succeeds almost always (even if you just
do it from a single attacking machine).
i would do a search on google, there are definitively others who were
under the same sort of attack.
just some thoughts about how it could be possible to protect (at least a
bit). maybe it's possible to let netfilters connection tracking do the
work for you. if you got it installed on your machine just enable it (by
writing a simple rule, something like "iptables -A INPUT -p tcp --dport
80 --state NEW,ESTABLISHED -j ACCEPT") and then set the size of the
connection table to some small number (check google how to do it). the
idea behind it is, that i assume (i didn't try it or investigated in
it!!) that the connection tracking will always drop the connection that
was the longest non active and so the connections that send something
should be kept alive and the "just open" sessions would be dropped. if
you set the number to 100 or something, the backend httpd process should
be protected (maybe). but take care that connection tracking doesn't
lock you out as it is used on all connection (not just the one you write
a rule for)
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here