Re: DDoS Attack
From: Justin Pryzby (justinpryzby_at_users.sourceforge.net)
Date: 05/22/03
- Previous message: Angelz: "Re: DDoS Attack"
- Maybe in reply to: Steven Shepherd: "DDoS Attack"
- Next in thread: Andrew Anderson: "Re: DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 May 2003 15:27:59 -0400 To: Steven Shepherd <steven@valueweb.com>
From how many IP addresses/networks? If apache is seeing connections,
then probably the network addresses (if not the IP addresses as well)
are real, not spoofed. I think blocking specific addresses as close to
the source as possible is the accepted solution: talk to your ISP. They
should be able to block addresses if you can provide them.
Justin Pryzby
On Thu, May 22, 2003 at 01:13:00PM +0000, Steven Shepherd wrote:
>
> Our parent company is experiencing a very odd/severe DDoS attack coming
> from all over the place. For the most part, the attack is occuring at
> the Apache level. Log files show this request:
>
> [Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request
> failed: erroneous characters after protocol string: -nb GET
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
> GET
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb
> GET
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
> GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
> +ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
> + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
> + +ATH0+
>
> Scans of some of the attacking IP's show BackOrifice installations.
>
> Has anyone had this sort of attack and what would be the best way to
> combat it? Not much luck from the upstream(s) thus far.
>
>
>
> ----------------------------------------------------------------------------
> *** Wireless LAN Policies for Security & Management - NEW White Paper ***
> Just like wired networks, wireless LANs require network security policies
> that are enforced to protect WLANs from known vulnerabilities and threats.
> Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
>
> To get your FREE white paper visit us at:
> http://www.securityfocus.com/AirDefense-incidents
> ----------------------------------------------------------------------------
>
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: Angelz: "Re: DDoS Attack"
- Maybe in reply to: Steven Shepherd: "DDoS Attack"
- Next in thread: Andrew Anderson: "Re: DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
