httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] Mitigating DDoS attack
Date Wed, 10 Nov 2004 16:48:54 GMT
i think, if even the packet was stopped in kernel space, your connection would suffer anyways...


En Wed, 10 Nov 2004 11:46:07 -0500
Scott Gifford <sgifford@suspectclass.com> Escribio:

> Hello,
> 
> www.gfn.org, the Web site of a nonprofit Internet provider I volunteer
> with (the Genesee Free-Net), is for some reason the target of a DDoS
> attack by the W32.Beagle.AV@mm worm:
> 
>     http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html
> 
> Load on the machine is low but packet loss is very high, so I suspect
> we're running into bandwidth limits set by our provider.
> 
> The attack consists of many requests per second from hosts all over
> the Internet for http://www.gfn.org/g.jpg:
> 
>     194.25.169.106 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     218.250.97.81 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     217.231.94.22 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     24.98.123.251 - - [10/Nov/2004:11:32:44 -0500] "GET /sheriff/drug.htm HTTP/1.1" 200
0
>     213.13.23.5 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     65.118.179.130 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     67.22.91.122 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     200.152.34.64 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     81.69.21.232 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     217.73.18.38 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
>     64.229.223.217 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1" 200 0
> 
> We've placed a 0-length file there to reduce the bandwidth consumed
> somewhat.  The worm appears to target the domain name, so changing the
> IP address probably won't help, and of course changing the domain name
> isn't an option because then our members couldn't find us.  This has
> been going on for about a week now, so waiting it out doesn't seem to
> be an option, and the attack is coming from many thousands of hosts,
> so blocking IPs or contacting their providers doesn't really seem to
> be an option.
> 
> If we could drop the connection with an RST packet as soon as we saw
> it was for /g.jpg that would save some bandwidth; is there a way to
> tell Apache to do this?
> 
> Does anybody have any ideas for mitigating this?
> 
> Thanks!
> 
> ----ScottG.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message