Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DoS problem.

from [Richard James Blundell] Network Security [Permanent Link]
Subject: Re: DoS problem.
Date: Wed, 25 Jan 2006 09:32:25 -0800

Looks like a SYN flood attack to me. If you are using linux on the servers then use syncookies[1] to stop this. They are not enabled by default because strictly speaking they are not rfc compliant.

To do this edit /etc/sysctl.conf and add this line:

net/ipv4/tcp_syncookies=1

Syn cookies will help a bit, but from my experience, only against small attacks. If he is being hit with thousands of false connections like he says he is, he needs something between his application server and the net. Depending on your budget/setup, this unit works great:
http://www.toplayer.com/content/products/intrusion_detection/attack_mitigator.jsp

A cheaper alternative is to route your port 80 traffic through a LVS (www.linuxvirtualserver.org) server and employ some statistical matching of "verified" connections and drop most of the rest. There are some whitepapers on the subject on the net. Alternatively, you can move your website to a network which offers the filter protection similar to the attack mitigator above, such as theplanet/servermatrix.

Good luck, those attacks can be a pain, I know.

-Rick

Jorge Alfredo Garcia wrote:

I have two dedicated servers, both hosted by the same provider and
both on the same segmnet.
I am under a denial of services attack but idont know exactaly how to stop it.
Here is a piece of my netstat output:

tcp 0 1 XX.XX.XX.AA:47561 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47562 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47565 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47564 XX.XX.XX.BB:80 SYN_SENT
tcp 0 1 XX.XX.XX.AA:47567 XX.XX.XX.BB:80 SYN_SENT

Ok, XX.XX.XX.AA is the server i am in now.
XX.XX.XX.BB is mine two and here are the connections:

tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50749 SYN_RECV
tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50598 SYN_RECV
tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50309 SYN_RECV

I have thousands of this connections on both servers.
I make iptables rules in both sites but the attack still running and
the rules dont work.

I cant understand how this attack can be made taking into account that
the attacker isnt inside any of my servers.
Why iptables rules dont work against this?

Thanx in advance.


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: List of "clickable" on-line pen-test tools, thomas springer
Next by Date:  Re: List of "clickable" on-line pen-test tools, David Ball
Previous by Thread:  Re: DoS problem., Matthew Baker
Next by Thread:  RE: DoS problem., Steve McLaughlin
Indexes:  [Date] [Thread] [Top] [All Lists]