You will never manage to stop an attack! All what you can do is either to
wait until its finished, pay the attacker or prepare your environment to be
able to handle attacks beside regular traffic successfully. The last way is
obviously the one we are interested in.
Since they will come from thousands by thousands different ips blocking is a
possible workaround but be sure that you may will cut good traffic as well
since the source ips are in most cases spoofed and my belong to other
parties.
Shorewall can successfully block those traffic but it has to be processed
(rejected, dropped, whatever) anyway.
But thousands per hour sounds not as a problem, I guess you mean thousands
per second. The problem in most cases is a bad handshake or broken header in
any other way and they send thousands by thousands of them.
There are some workarounds how you can solve your problem.
1.) LVS
2.) A proxy server
3.) Talk to your provider they may have Arbors, Brocades or similar in
their network
So at all you have to ask yourself a question. Are you earning money with
your website which means is it a shop or only informational? If it is a shop
you will definitively become a target once the time is ripe to it. Normally
beside the attack you receives e-mails where you are requested on a very
polite way to pay 100 or 200 Euros. Not much but anyway not what we want.
We have learned that a Webservice such as a Webserver should not be behind a
Firewall. There is really no reason to do it if you have multiple visitors.
Better to put it beside but behind a loadbalancer or a proxy. They easily
can handle hundret thousands of sessions and are able to have filter sets to
eat the bad sessions and only to let the good ones to your real server.
So at all its only a problem of amount of queries. From a given time our
session table is too full and since you have bad syn´s or whatever it can
take some time to timeout but nes sessions are arriving anyway each second.
So at all its not a Shorewall problem and usually also not a bandwidth
problem. So even if you would use a medium sized hardware firewall such as
Juniper or Cisco you wont be able to fight against them.
I hope I was able to give some ideas how to move on.
Cheers
Michael
_____
Von: Marius Stan [mailto:[email protected]]
Gesendet: Mittwoch, 25. August 2010 07:46
An: Shorewall Users
Betreff: Re: [Shorewall-users] Can Shorewall Help Me?
On 8/25/2010 5:33 AM, J and T wrote:
Hello,
I've been a Shorewall user and supporter for many years and it has been a
great tool. But recently our Web servers have been under attack and I can
figure out how to stop it. The problem is that the attacks are coming in on
port 80 all from different IPs. I'm talking thousands of requests per hour.
I can't find any information on how to stop this kind of attack. What I'm
doing right now is redirecting these from cgi to a page using mod rewrite,
but this isn't stopping all these requests from being initiated and it's
killing our server. Any ideas on what to do?
I've been using with very good results the script from here:
http://deflate.medialayer.com/
I would recommend using the following line in it though:
netstat -ntu | grep ":80" | awk '{print $5}' | sed s/::ffff:// | cut -d: -f1
| sort | uniq -c | sort -nr > $BAD_IP_LIST
Good luck,
Marius
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
