httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Douglas K. Fischer" <fische...@purefm.net>
Subject Re: [users@httpd] Protection from slapper worm DDos attack
Date Tue, 19 Nov 2002 19:42:28 GMT
At 07:44 AM 11/19/2002, Priya balaji wrote:
>Hi,
>
>I am running the latest versions of Apache, modssl and openssl on a 
>Solaris machine. My machine is getting a lot of connections from hosts 
>running older versions of Apache and Openssl. My web server reaches max 
>limit and stops serving pages. Requires a restart.

When you say 'reaches max limit' do you mean it exceeds the maximum number 
of simultaneous requests as configured in Apache, or something else?


>All the symptoms look like the activity of the slapper worm. I have 
>obtained a lot of information about this worm, but there is no information 
>about protecting the machine from the DDOS attacks from other infected hosts.
>
>It will be very helpful if somebody can provide information on the following.
>
>1. Are the machines running the updated versions vulnerable to these 
>attacks or have i done something wrong in setting things up?

Updated machines are not vulnerable to the exploit attempts; however, you 
can expect to see traffic from infected hosts attempting the exploits 
against your system. I see this traffic on an almost daily basis on my web 
servers.

>2. Will blocking the ports from where the infected machines communicate 
>help in my case?

I'm assuming you mean the UDP ports the worm uses for the infected machines 
to communicate with each other. No, blocking them won't help you because 
that's not the traffic you're getting - you are getting port 80 and port 
443 traffic where these infected hosts are connecting to Apache. If you 
have a large number of IP addresses tied to the box, the problem is greatly 
magnified. Depending upon how many IP addresses your server is hosting and 
how frequently you're seeing traffic from infected hosts, you might be able 
to simply increase the number of simultaneous connections allowed in Apache.

The solution I came up with was to write a log monitor that checked for 
"request without hostname" errors in the error_log. These errors are 
generated by the probe an infected machine makes to try and determine the 
version of Apache you are running. When the log monitor detects these, it 
creates IPtables firewall rules to block 80/443 traffic from the violating 
IP address for a few minutes. This keeps my systems from getting bogged 
down with the additional connections made by the infected host.

Doug 


------------------------------------------------------------

This email, and any included attachments, have been checked
by Norton AntiVirus Corporate Edition (Version 7.6), AVG
Server Edition 6.0, and Merak Email Server Integrated
Antivirus (Alwil Software's aVast! engine) and is certified
Virus Free.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message