Re: DoS problem.

From: Matthew Baker (m@wheres.co.uk)
Date: Sat Jan 21 2006 - 17:16:45 EST

• Next message: dave kleiman: "RE: [Fwd: Re: Secure Password Policy?]"
• Previous message: Cedric Foll: "Tool to make mitm on ssh2"
• Maybe in reply to: Volker Tanger: "Re: DoS problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jorge,

Looks like a SYN flood attack to me. If you are using linux on the
servers then use syncookies[1] to stop this. They are not enabled by
default because strictly speaking they are not rfc compliant.

To do this edit /etc/sysctl.conf and add this line:

net/ipv4/tcp_syncookies=1

Then apply the changes by running:

$ sysctl -p

[1] http://cr.yp.to/syncookies.html

Cheers,

Matt

Jorge Alfredo Garcia wrote:
> I have two dedicated servers, both hosted by the same provider and
> both on the same segmnet.
> I am under a denial of services attack but idont know exactaly how to stop it.
> Here is a piece of my netstat output:
>
> tcp 0 1 XX.XX.XX.AA:47561 XX.XX.XX.BB:80
> SYN_SENT
> tcp 0 1 XX.XX.XX.AA:47562 XX.XX.XX.BB:80
> SYN_SENT
> tcp 0 1 XX.XX.XX.AA:47565 XX.XX.XX.BB:80
> SYN_SENT
> tcp 0 1 XX.XX.XX.AA:47564 XX.XX.XX.BB:80
> SYN_SENT
> tcp 0 1 XX.XX.XX.AA:47567 XX.XX.XX.BB:80
> SYN_SENT
>
> Ok, XX.XX.XX.AA is the server i am in now.
> XX.XX.XX.BB is mine two and here are the connections:
>
> tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50749
> SYN_RECV
> tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50598
> SYN_RECV
> tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50309
> SYN_RECV
>
> I have thousands of this connections on both servers.
> I make iptables rules in both sites but the attack still running and
> the rules dont work.
>
> I cant understand how this attack can be made taking into account that
> the attacker isnt inside any of my servers.
> Why iptables rules dont work against this?
>
> Thanx in advance.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: dave kleiman: "RE: [Fwd: Re: Secure Password Policy?]"
• Previous message: Cedric Foll: "Tool to make mitm on ssh2"
• Maybe in reply to: Volker Tanger: "Re: DoS problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT