Re: HELP Under Attack

From: Jim G. (jgrago_at_NO_SPAM-twcny.rr.com)
Date: 08/24/04 

Date: Tue, 24 Aug 2004 13:02:20 GMT

Hello, yes we are a well known company and we currently have 5 servers with
a load balancer. The balancer did a good job keeping up with the attack.
>From what I have read tcp_syncookies takes the load off of apache and
transfers it to the kernel. I cannot drop traffic to any country because we
deal with all countries around the world.

I will let you know how this works.

Thanks!

"Alexander Clouter" <alex@digriz.junk-this.org.uk> wrote in message
news:412a7780$1_2@127.0.0.1...
> On 2004-08-23, Jim G. <jgrago@NO_SPAM-twcny.rr.com> wrote:
>> How do I stop a Dos Syn Attack. My isp has already stopped Upd
>> connections
>> from hitting my servers, but I still have 225,000 connections to my 5
>> servers from a Syn attack.
>>
> hmmm the signs of preparation.... :) As if I could talk anyway.
>
> The thing is to 'acquire' a DoS attack you must have annoyed someone or
> been
> a high profile company....only curious why they would target you.
>
> As for fixes, first of all drop all traffic from countries you expect no
> traffic from (or rather probably better only permit the ones you do
> business
> with through)[1].
>
> As for SYN-Cookies, make sure you have stacks of memory available and a
> couple of CPU cycles to spare...
>
> # echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> and thats it....30 seconds of Google searching would have told you this.
>
> Other things you should try is using Ethereal[1] and see if the script
> kiddy
> has made the common mistake of having something 'static' in the DoS attack
> (usually the source port or sequence number). With this you can filter
> upstream by the ISP or yourself.
>
> Have fun and let me know how you get along ;)
>
> Cheers
>
> Alex
>
> [1] http://ip.ludost.net/
> [2] http://www.ethereal.com/

Relevant Pages

  • Re: Help SYN Flood Detection
    ... > I'm not trying to use snort to stop the attack... ... out of it's head (on the load balancer was it not?). ... could handle that kind of network traffic or am I perhaps missing something ... > The servers themselves are not having to hard of a time. ...
    (comp.security.firewalls)
  • Re: HELP Under Attack
    ... yes we are a well known company and we currently have 5 servers ... > with a load balancer. ... > country because we deal with all countries around the world. ... you can't do anything about the bandwidth wasted by the attack, ...
    (comp.os.linux.security)
  • Re: Port 80 SYN flood-like behavior
    ... > were on the receiving end of such an attack a little over one month ago. ... > across a LARGE number of TCP servers. ... > SYN/ACK packets ... ... Traffic reflection off routers ...
    (Incidents)
  • [REVS] DNS Amplification Attacks
    ... DNS Amplification Attacks ... One of the networks under attack indicated some ... exploited name servers. ...
    (Securiteam)
  • Analysis of SSH crc32 compensation attack detector exploit
    ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ...
    (Incidents)