Re: DOS attack tool can be used in lab
- From: Robert Portvliet <robert.portvliet@xxxxxxxxx>
- Date: Wed, 9 Sep 2009 08:53:18 -0400
You could set a firewall rule to drop any incoming SYN packets from
the Internet, which is a very good idea anyway unless you have some
specific need for it (ie: this machine is on the DMZ & is a web
server).
On Mon, Sep 7, 2009 at 7:38 AM, L. Pop <zhiglee@xxxxxxxxx> wrote:
Thanks for your help!
Now i am clear that how we get attacked:
firtly they established tcp connection with us, then they just ignore
our "FIN" package,
server have to resend packet for 12 times, then send RST packet to give up.
The interval of retry gradually increases:
[1st] 1s plus/minus 0.5s
[2nd] 3s plus/minus 0.5s
[3rd] 6s plus/minus 0.5s
....
[7th] 64s plus/minus 0.5s
[8th] 64s plus/minus 0.5s
....
[12th] 64s plus/minus 0.5s
However, i am not confident to change those paramters, after all those
setting applys to all the tcp session. My OS is FreeBsd 6.4
Still need your help on how to prevent such attack.
Kind Regards,
Pop
2009/9/3 HD Moore <hdm@xxxxxxxxxxxxxxxxxx>:
On Wed, 2009-09-02 at 11:28 +0800, L. Pop wrote:
Hi Guys,
Recently one of our freebsd servers always experience "Socket: No
buffer space available..." Errors, and there are too many FIN_Wait1s
in system, it is likely that we are being DOSed.
Is there any handy DOS simulate tool that i can use in lab to
reproduce the problem. Thanks in advance!
This issue occurs when your side of the connection is trying to send
data, but the remote side stops receiving it (reduces the TCP window to
0 or a small value). With enough of these sessions, you start to hit
that message. I believe you can reproduce this with Slowaris:
http://ha.ckers.org/blog/20090617/slowloris-http-dos/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Follow-Ups:
- Re: DOS attack tool can be used in lab
- From: R. DuFresne
- Re: DOS attack tool can be used in lab
- References:
- DOS attack tool can be used in lab
- From: L. Pop
- Re: DOS attack tool can be used in lab
- From: L. Pop
- DOS attack tool can be used in lab
- Prev by Date: Re: IP Spoofing/Masquarading
- Next by Date: RE: IP Spoofing/Masquarading
- Previous by thread: Re: DOS attack tool can be used in lab
- Next by thread: Re: DOS attack tool can be used in lab
- Index(es):
Relevant Pages
|
