RE: DOS ATTACK
From: Trey A Mujakporue (Trey.trey@ntlworld.com)Date: 10/29/02
- Previous message: Richard Archer: "Re: DOS ATTACK"
- In reply to: Blake Girardot: "Re: DOS ATTACK"
- Next in thread: Micheal Patterson: "Re: DOS ATTACK"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Trey A Mujakporue" <Trey.trey@ntlworld.com> To: "'Blake Girardot'" <girardot@mac.com>, "'Hunt, Jim'" <Jim.Hunt@nwsc.k12.in.us>, <Incidents@securityfocus.com> Date: Tue, 29 Oct 2002 11:48:39 -0000
Isnt this the slashdot effect?? You could try mailing the guys at slashdot and see what they say..
I feel no amount of firewall tweaking will solve this, and as Blake rightly put, the requests are from the "Big Sites visitors" and these could be anybody (for all you know it could be one of us!)
This problem will most likely be solved by a chnge in infrastructure / tarpitting connections to the specific host
I just Googled and came up with this link http://www.geek.com/news/geeknews/2002jan/gee20020116009794.htm
-----Original Message-----
From: Blake Girardot [mailto:girardot@mac.com]
Sent: 29 October 2002 04:10
To: Hunt, Jim; Incidents@securityfocus.com
Subject: Re: DOS ATTACK
Well for the folks that say block the IP address, I dont think that will
work.
If I understand the problem, a popular webserver (attacker) has placed links
to pages in hidden iframes on the DOS target (target) machine.
So when I hit the attacker machine, his web page just makes my browser get
files off the target machine, and hence the DOS, so the IP address the
request comes from will be that of the CLIENT, not the server that is
technically the attacking machine.
They are using thier own visitors to DOS the target machine from a variety
of IP address as a result.
most things you can do to combat it would probably still take the hit to the
server which I guess is your problem. suggestions depend on what the actual
DOS problem is, connections to the websever? bandwith over use? some thing
else, database hits on your server ?
Maybe you could:
0. CALL THE GUY'S ISP, notify them at abuse@, admin@, security@ postmaster@
or any other public mail address they show. it has to be against thier terms
of use. do this no matter what, consider calling the police or fbi, dos
attacks are illegal. and tell this guy you are going to do that as well.
1. put a redirect to a huge file on his server in place of the file he is
linking to so he would reattack himself in place of the file he is linking
too if possible. it would also make his site seem slow to the client.
2. make a text file instead that explains why the website they are on is
being such a weasel or some other negative thing and hope someone views
source. put dirty words in it so maybe content filtering proxys screw him
up.
3. block traffic based on referrer. but like i said that will still take a
hit on your webserver since you can't know who referred till the packet is
decoded and using the iframes trick might screw up the referrer, but it is
worth a look.
http://www.cpan.org/modules/by-module/Apache/Apache-RefererBlock-0.03.readme
says it will do it, but again, depending on what resouce of yours he is
using up, it might not help.
4. get a stateful firewall that can look inside the tcp/ip packets and grep
for his ip address since it will be in the packet payload someplace.
5. make a javascript page that pops up a window and says bad things about
this whole situation
6. require some pages to have certain referrers, if it is inside pages you
can check the referrer and maybe make sure it came from another page on your
website.
http://www.leekillough.com/robots.html might help you there
after a re read, some of the above don't make sense since he might be
pulling in the actual pages of target website so you cant just replace them
i guess. hope for the referrer thing.
----- Original Message -----
From: "Hunt, Jim" <Jim.Hunt@nwsc.k12.in.us>
To: <Incidents@securityfocus.com>
Sent: Sunday, October 27, 2002 11:59 PM
Subject: DOS ATTACK
> I have a friend that has a DOS Attack going on against their website. It
is being done by someone with a very popular website trying to squash a
little guy. He is doing it be placing 1 pixel by 1 pixel inline frames in
his webpages and having them load my friends webpage. It is killing his
server and bandwidth.
>
> What can we do to block? The Server is W2K with IIS.
>
> Thanks!
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Richard Archer: "Re: DOS ATTACK"
- In reply to: Blake Girardot: "Re: DOS ATTACK"
- Next in thread: Micheal Patterson: "Re: DOS ATTACK"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
