How to stop DoS Attack??

How to stop DoS Attack??

Post by xmenko » Sat, 17 Nov 2001 14:50:43



*** post for FREE via your newsreader at post.newsfeeds.com ***

Dear security expert,

Recently I got a DoS on my web server. Does anyone know how to
stop a DoS attack and prevent it from happen again? Some help
will be appreciated to explain the below TCPDump which I got
during the attack.

Here are some of my find up during the attack...

1) There are a lot of connection from different IP at the same
   time, which tries to overload the system using HTTP by non-
   stop requests of URLs. Below is the TCPDUMP.

2) The URLs requested as logged by the web server log seems to
   be quite valid, indicating that the attacker has studied the
   victim web site and many of these requests are for graphic
   files, indicating a planned intention to clog up the server
   & network.

3) Many source IPs, suspected all to be forged.

4) A very close time between each packet timestamp indicates a
   script is used for this attack.

TCPDump:
----------------- Cut here ---------------------------------
21:11:59.268725 218.65.139.107.1051 > universe.victim.com.http: .
855733:855733(0) ack 1145547825 win 8576 (DF) (ttl 113, id 17921)
21:11:59.435873 universe.victim.com.http > 61.138.72.193.64687: P
1141631107:1141632162(1055) ack 7558792 win 17520 (DF) (ttl 64, id 12488)
21:11:59.662313 218.65.139.107.1051 > universe.victim.com.http: . 0:0(0) ack
537 win 8576 (DF) (ttl 113, id 18177)
21:12:00.178267 172.17.7.112.bootpc > 255.255.255.255.bootps:
xid:0x680e984d secs:9795 flags:0x8000 [|bootp] (ttl 128, id 47690)
21:12:00.181566 0.0.0.0.bootpc > 255.255.255.255.bootps:  secs:35127
[|bootp] (ttl 255, id 51891)
21:12:00.257071 universe.victim.com.1086 > dns1.domain:  50255+ PTR?
107.139.65.218.in-addr.arpa. (45) (ttl 64, id 12489)
21:12:00.301857 61.158.24.149.2707 > universe.victim.com.http: R
7549234:7549234(0) win 0 (DF) (ttl 114, id 4495)
21:12:00.425976 universe.victim.com.http > 61.146.105.9.1029: F
1143393049:1143393049(0) ack 68266 win 16616 (DF) (ttl 64, id 12490)
21:12:00.607501 dns1.domain > universe.victim.com.1086:  50255 NXDomain* q:
107.139.65.218.in-addr.arpa. 0/1/0 (133) (ttl 64, id 26014)
21:12:00.608060 universe.victim.com.1087 > dns1.domain:  50256+ PTR?
193.72.138.61.in-addr.arpa. (44) (ttl 64, id 12491)
21:12:00.608380 dns1.domain > universe.victim.com.1087:  50256 NXDomain q:
193.72.138.61.in-addr.arpa. 0/1/0 (132) (ttl 64, id 26015)
21:12:00.608786 universe.victim.com.1088 > dns1.domain:  50257+ PTR?
112.7.17.172.in-addr.arpa. (43) (ttl 64, id 12492)
21:12:00.609048 dns1.domain > universe.victim.com.1088:  50257 NXDomain* q:
112.7.17.172.in-addr.arpa. 0/1/0 (98) (ttl 64, id 26016)
21:12:00.897316 61.146.105.9.1029 > universe.victim.com.http: . 1:1(0) ack 1
win 6432 (DF) (ttl 47, id 31744)
21:12:01.564885 61.138.72.193.64687 > universe.victim.com.http: P 1:243(242)
ack 1055 win 8760 (DF) (ttl 113, id 48854)
21:12:01.565525 universe.victim.com.http > 61.138.72.193.64687: .
1055:2515(1460) ack 243 win 17520 (DF) (ttl 64, id 12493)
21:12:01.565556 universe.victim.com.http > 61.138.72.193.64687: P
2515:3746(1231) ack 243 win 17520 (DF) (ttl 64, id 12494)
21:12:01.606465 universe.victim.com.1089 > dns1.domain:  50258+ PTR?
149.24.158.61.in-addr.arpa. (44) (ttl 64, id 12495)
21:12:01.617176 202.109.240.34.38528 > universe.victim.com.http: S
8997578:8997578(0) win 8192 <mss 1414,nop,nop,sackOK> (DF) (ttl 114, id
19238)
21:12:01.617258 universe.victim.com.http > 202.109.240.34.38528: S
1149696038:1149696038(0) ack 8997579 win 16968 <mss 1460> (DF) (ttl 64, id
12496)
21:12:01.785893 universe.victim.com.http > 211.93.83.21.9116: .
1147469686:1147469687(1) ack 20552574 win 17520 (DF) (ttl 64, id 12497)
21:12:01.823491 202.109.240.34.38528 > universe.victim.com.http: . 1:1(0)
ack 1 win 1414 (DF) (ttl 114, id 22822)
21:12:01.839369 202.109.240.34.38528 > universe.victim.com.http: P
1:302(301) ack 1 win 8484 (DF) (ttl 114, id 23590)
21:12:01.840166 universe.victim.com.http > 202.109.240.34.38528: P
1:678(677) ack 302 win 16968 (DF) (ttl 64, id 12498)
21:12:01.978307 211.97.70.65.12656 > universe.victim.com.http: S
470548359:470548359(0) win 8192 <mss 1460,nop,nop,sackOK> (ttl 14, id 56864)
21:12:01.978374 universe.victim.com.http > 211.97.70.65.12656: S
1149866959:1149866959(0) ack 470548360 win 17520 <mss 1460> (DF) (ttl 64, id
12499)
21:12:02.130537 61.143.113.18.1029 > universe.victim.com.http: S
1530859:1530859(0) win 7168 <mss 536,nop,nop,sackOK> (ttl 241, id 3328)
21:12:02.130607 universe.victim.com.http > 61.143.113.18.1029: S
1149911075:1149911075(0) ack 1530860 win 16616 <mss 1460> (DF) (ttl 64, id
12500)
21:12:02.222128 202.109.240.34.38528 > universe.victim.com.http: .
302:302(0) ack 678 win 7807 (DF) (ttl 114, id 30758)
21:12:02.343543 dns1.domain > universe.victim.com.1089:  50258 NXDomain* q:
149.24.158.61.in-addr.arpa. 0/1/0 (132) (ttl 64, id 26022)
21:12:02.343951 universe.victim.com.1090 > dns1.domain:  50259+ PTR?
9.105.146.61.in-addr.arpa. (43) (ttl 64, id 12501)
21:12:02.453250 211.97.70.65.12656 > universe.victim.com.http: . 1:1(0) ack
1 win 1460 (ttl 14, id 57376)
21:12:02.455759 211.97.70.65.12656 > universe.victim.com.http: P 1:213(212)
ack 1 win 8192 (ttl 14, id 57632)
21:12:02.456752 universe.victim.com.http > 211.97.70.65.12656: P 1:461(460)
ack 213 win 17520 (DF) (ttl 64, id 12502)
21:12:02.471451 211.93.83.21.9116 > universe.victim.com.http: . 1:1(0) ack 1
win 8759 (DF) (ttl 114, id 43495)
21:12:02.471491 universe.victim.com.http > 211.93.83.21.9116: P 1:1435(1434)
ack 1 win 17520 (DF) (ttl 64, id 12503)
21:12:02.525194 61-217-184-228.HINET-IP.hinet.net.1205 >
universe.victim.com.http: S 170636440:170636440(0) win 16384 <mss
1414,nop,nop,sackOK> (DF) (ttl 112, id 3296)
21:12:02.525288 universe.victim.com.http >
61-217-184-228.HINET-IP.hinet.net.1205: S 1150083763:1150083763(0) ack
170636441 win 16968 <mss 1460> (DF) (ttl 64, id 12504)
21:12:02.551978 61.143.113.18.1029 > universe.victim.com.http: . 1:1(0) ack
1 win 536 (ttl 241, id 4096)
21:12:02.659832 202.109.240.34.38528 > universe.victim.com.http: P
302:515(213) ack 678 win 7807 (DF) (ttl 114, id 34086)
21:12:02.660662 universe.victim.com.http > 202.109.240.34.38528: P
678:1141(463) ack 515 win 16968 (DF) (ttl 64, id 12505)
21:12:02.752176 61.143.113.18.1029 > universe.victim.com.http: P 1:248(247)
ack 1 win 7168 (ttl 241, id 4864)
21:12:02.752877 universe.victim.com.http > 61.143.113.18.1029: . 1:537(536)
ack 248 win 16616 (DF) (ttl 64, id 12506)
21:12:02.752897 universe.victim.com.http > 61.143.113.18.1029: P
537:676(139) ack 248 win 16616 (DF) (ttl 64, id 12507)
21:12:02.942761 61-217-184-228.HINET-IP.hinet.net.1205 >
universe.victim.com.http: . 1:1(0) ack 1 win 1414 (DF) (ttl 112, id 3305)
21:12:03.010518 61-217-184-228.HINET-IP.hinet.net.1205 >
universe.victim.com.http: P 1:383(382) ack 1 win 16968 (DF) (ttl 112, id
3306)
21:12:03.011245 universe.victim.com.http >
61-217-184-228.HINET-IP.hinet.net.1205: P 1:678(677) ack 383 win 16968 (DF)
(ttl 64, id 12508)
21:12:03.057518 211.97.70.65.12656 > universe.victim.com.http: P
213:563(350) ack 461 win 7732 (ttl 14, id 58400)
21:12:03.058020 universe.victim.com.http > 211.97.70.65.12656: P
461:656(195) ack 563 win 17520 (DF) (ttl 64, id 12509)
21:12:03.104494 202.109.240.34.38528 > universe.victim.com.http: P
515:777(262) ack 1141 win 7344 (DF) (ttl 114, id 38182)
21:12:03.104946 universe.victim.com.http > 202.109.240.34.38528: .
1141:2555(1414) ack 777 win 16968 (DF) (ttl 64, id 12510)
21:12:03.104993 universe.victim.com.http > 202.109.240.34.38528: .
2555:3969(1414) ack 777 win 16968 (DF) (ttl 64, id 12511)
21:12:03.105039 universe.victim.com.http > 202.109.240.34.38528: .
3969:5383(1414) ack 777 win 16968 (DF) (ttl 64, id 12512)
21:12:03.105062 universe.victim.com.http > 202.109.240.34.38528: .
5383:6797(1414) ack 777 win 16968 (DF) (ttl 64, id 12513)
21:12:03.268298 61.146.105.9.1029 > universe.victim.com.http: R
68266:68266(0) win 0 (DF) (ttl 47, id 38656)
21:12:03.296292 61.143.113.18.1029 > universe.victim.com.http: . 248:248(0)
ack 1 win 7168 (ttl 241, id 5888)
21:12:03.371321 61.143.113.18.1029 > universe.victim.com.http: . 248:248(0)
ack 676 win 7168 (ttl 241, id 6144)
21:12:03.465925 universe.victim.com.http > 211.93.83.21.9116: P 1:1435(1434)
ack 1 win 17520 (DF) (ttl 64, id 12514)
21:12:03.529481 202.109.240.34.38528 > universe.victim.com.http: .
777:777(0) ack 3969 win 8484 (DF) (ttl 114, id 43302)
21:12:03.529527 universe.victim.com.http > 202.109.240.34.38528: .
6797:8211(1414) ack 777 win 16968 (DF) (ttl 64, id 12515)
21:12:03.529555 universe.victim.com.http > 202.109.240.34.38528: .
8211:9625(1414) ack 777 win 16968 (DF) (ttl 64, id 12516)
21:12:03.529583 universe.victim.com.http > 202.109.240.34.38528: .
9625:11039(1414) ack 777 win 16968 (DF) (ttl 64, id 12517)
21:12:03.574347 202.109.240.34.38528 > universe.victim.com.http: .
777:777(0) ack 6797 win 8484 (DF) (ttl 114, id 43558)
21:12:03.574409 universe.victim.com.http > 202.109.240.34.38528: .
11039:12453(1414) ack 777 win 16968 (DF) (ttl 64, id 12518)
21:12:03.574435 universe.victim.com.http > 202.109.240.34.38528: .
12453:13867(1414) ack 777 win 16968 (DF) (ttl 64, id 12519)
21:12:03.574461 universe.victim.com.http > 202.109.240.34.38528: .
13867:15281(1414) ack 777 win 16968 (DF) (ttl 64, id 12520)
21:12:03.585839 61-217-184-228.HINET-IP.hinet.net.1205 >
universe.victim.com.http: . 383:383(0) ack 678 win 16291 (DF) (ttl 112, id
3333)
21:12:03.665926 universe.victim.com.http > 218.65.139.107.1051: .
537:1073(536) ack 0 win 16616 (DF) (ttl 64, id 12521)
21:12:03.762617 211.97.70.65.12656 > universe.victim.com.http: . 563:563(0)
ack 656 win 8192 (ttl 14, id 58912)
21:12:03.895987 218.65.137.168.1622 > universe.victim.com.http: S
22586894:22586894(0) win 8192 <mss 536,nop,nop,sackOK> (DF) (ttl 113, id
60204)
21:12:03.896062 universe.victim.com.http > 218.65.137.168.1622: S
1150430160:1150430160(0) ack 22586895 win 16616 <mss 1460> (DF) (ttl 64, id
12522)
21:12:03.966719 211.93.83.21.9116 > universe.victim.com.http: . ...

read more »

 
 
 

How to stop DoS Attack??

Post by Michael Jarrel » Sun, 18 Nov 2001 00:06:41



> *** post for FREE via your newsreader at post.newsfeeds.com ***

> Dear security expert,

> Recently I got a DoS on my web server. Does anyone know how to
> stop a DoS attack and prevent it from happen again? Some help
> will be appreciated to explain the below TCPDump which I got
> during the attack.
<SNIP>
> Any help will be much appreciated, and
> Thanks in advance...

> xmenkoh.

xmenkoh,

Some people configure a firewall to drop packets from sites attempting a DOS attack.

Mike Jarrells

 
 
 

1. Is there a way to stop dos attacks using iptables?

Hello,

I was wondering if iptables has better chances of stopping dos attacks than
ipchains. When I say DoS attacks, i mean things like UDP floods, ICMP
floods, SYN floods, smurf attacks, etc.

I see it's really hard to stop SYN flood since each packet uses a different
IP address. Can iptables stop it? Like detect saturation ?

- Krish

--
*****************************************************
Cowards die many times before their death,
the valiant only taste of death once. Of all
the wonders I have heard, it seems most
strange that men should fear, seeing death,
a necessary end, will come when it will come
-- Julius Caesar
*****************************************************

2. ppp and Samba...

3. How to stop DoS Attack??

4. Crash trying to load Gnome

5. how to stop shell DoS attack?

6. PAM programming and BIND

7. Linux Booting Problem

8. How to stop a DOS attack

9. stopping an attack using UNIX permissions

10. sysklogd stops logging attacks

11. Help with DoS attack, PLEASE

12. Is this a good way to protect my RedHat from DOS ATTACK?