Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DoS problem.

from [Matthew Baker] Network Security [Permanent Link]
Subject: Re: DoS problem.
Date: Sat, 21 Jan 2006 22:16:45 +0000 
Hi Jorge,

Looks like a SYN flood attack to me. If you are using linux on the servers then use syncookies[1] to stop this. They are not enabled by default because strictly speaking they are not rfc compliant.

To do this edit /etc/sysctl.conf and add this line:

net/ipv4/tcp_syncookies=1

Then apply the changes by running:

$ sysctl -p

[1] http://cr.yp.to/syncookies.html

Cheers,

Matt

Jorge Alfredo Garcia wrote: 
I have two dedicated servers, both hosted by the same provider and
both on the same segmnet.
I am under a denial of services attack but idont know exactaly how to stop it.
Here is a piece of my netstat output:

tcp 0 1 XX.XX.XX.AA:47561 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47562 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47565 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47564 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47567 XX.XX.XX.BB:80 SYN_SENT

Ok, XX.XX.XX.AA is the server i am in now.
XX.XX.XX.BB is mine two and here are the connections:

tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50749 SYN_RECV
tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50598 SYN_RECV
tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50309 SYN_RECV

I have thousands of this connections on both servers.
I make iptables rules in both sites but the attack still running and
the rules dont work.

I cant understand how this attack can be made taking into account that
the attacker isnt inside any of my servers.
Why iptables rules dont work against this?

Thanx in advance.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Tool to make mitm on ssh2, Cedric Foll
Next by Date:  RE: [Fwd: Re: Secure Password Policy?], dave kleiman
Previous by Thread:  Re: DoS problem., Volker Tanger
Next by Thread:  Re: DoS problem., Richard James Blundell
Indexes:  [Date] [Thread] [Top] [All Lists]