Re: HELP Under Attack
From: Jim G. (jgrago_at_NO_SPAM-twcny.rr.com)
Date: 08/25/04
- Next message: Stephan Goeldi: "sshd: lock password intruders"
- Previous message: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
- In reply to: Jem Berkes: "Re: HELP Under Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Aug 2004 23:48:03 GMT
Thanks!
The ip's are spoofed. I had contacted Comcast on one of the ip's that came
back to Plattsburgh Ny, they contacted the user and they said the user had
no clue that their Pc was being used in an attack. I have enabled the
tcp_syncookies.
Thanks again
Jim
"Jem Berkes" <jb@users.pc9.org> wrote in message
news:Xns954F621657246jbuserspc9org@130.179.16.24...
>> Hello, yes we are a well known company and we currently have 5 servers
>> with a load balancer. The balancer did a good job keeping up with the
>> attack. From what I have read tcp_syncookies takes the load off of
>> apache and transfers it to the kernel. I cannot drop traffic to any
>> country because we deal with all countries around the world.
>
> If the attacking IP addresses are genuine, then I would strongly recommend
> importing the big list of known compromised/zombie IP addresses from
> ahbl.org, cbl.abuseat.org and using these IPs in your firewall rule to
> block packets.
>
> But if the IP addresses are forged, syn cookies is your best bet. Of
> course
> you can't do anything about the bandwidth wasted by the attack, but it
> should keep the connection table in your TCP/IP stack clean.
>
> --
> Jem Berkes
> http://www.sysdesign.ca/
- Next message: Stephan Goeldi: "sshd: lock password intruders"
- Previous message: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
- In reply to: Jem Berkes: "Re: HELP Under Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
