Maybee an upgrade of apache would be a good start?. and have a look at mod_bandwidth <http://www.cohprog.com/mod_bandwidth.html> and mod_dosevasive <http://www.nuclearelephant.com/projects/dosevasive/>
. -david > -----Original Message----- > From: Jez Hancock [mailto:[EMAIL PROTECTED] > Sent: Friday, 5 December 2003 23:41 > To: [EMAIL PROTECTED] > Subject: Re: ipfilter traffic blocking and tcpdump snort etc > > > On Fri, Dec 05, 2003 at 01:10:16PM +0100, Melvyn Sopacua wrote: > > On Friday 05 December 2003 11:58, Jez Hancock wrote: > > > > > Let me rephrase that one :P I meant is there a method - > for example > > > such as adding some kind of routing via arp - so that packets are > > > dropped on the floor even quicker than they would be via > the firewall > > > method? > > > > You could bind the ip's to the loopback interface, but I > think the firewall > > setup is quicker. > Interesting(!) idea but kind of does the DOS'ers job for 'em! > > I'm really curious as to what type of attack it actually was. > Right now > I know: > > - it was aimed at a single address on port 80 > - global apache errorlog was relatively quiet in the run up to the > exhaustion of apache with only a small hint that a larger number of > requests were being made: > > [Thu Dec 4 18:47:46 2003] [info] server seems busy, (you may > need to increase StartServers, or Min/MaxSpareServers), > spawning 8 children, there are 0 idle, and 146 total children > [Thu Dec 4 18:47:47 2003] [error] server reached MaxClients > setting, consider raising the MaxClients setting > [Thu Dec 4 18:52:34 2003] [notice] child pid 91863 exit > signal Segmentation fault (11) > <snip same error log line repeated around 4,500 times!> > [Fri Dec 5 00:13:04 2003] [notice] child pid 38280 exit > signal Segmentation fault (11) > [Fri Dec 5 01:35:52 2003] [info] server seems busy, (you may > need to increase StartServers, or Min/MaxSpareServers), > spawning 8 children, there are 0 idle, and 17 total children > > note the 5min gap between the server reaching the MaxClients setting > and the server collapsing with no err log entries in between > > - no HTTP requests were logged by apache from any of the dozen or so > attacking hosts > > - snort captured only SYN packets from the attacking hosts (I suppose > this explains why no requests were logged by apache) > > - all the attacking hosts had both port 25 and 80 open, > although none of > those hosts accepted inbound connections to those ports > > Would appear someone had control over a few zombie hosts and > was able to > coordinate a distributed attack - thankfully it was only a dozen or so > hosts :P > > -- > Jez Hancock > - System Administrator / PHP Developer > > http://munk.nu/ > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"