httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Richardson" <james.richard...@db.com>
Subject RE: [users@httpd] Mitigating DDoS attack
Date Wed, 10 Nov 2004 17:13:53 GMT

Assuming that you have ipfilter, or ipchains, or some other firewall
software running, it should be fairly trivial to stop connections from
infected machines, however this will be on _your_ side of the connection,
this still using up your bandwidth.

This might not actually work, as I've never done this, but intuitively I
would:

1) set up a log rule so that requests for this only end up in one logger
2) write a perl script to act as log script, that simply writes out new ip
addresses received to a new log file.
3) use this new log file as input to your firewall, rerunning every five
minutes or so....
4) use the "drop packet" type of blocking, which will tie up the sending
machine for longer than a "reset", as it will have to wait for the syn/ack
timeout period before continuing. Also sending the rst will consume your
bandwidth!

1)

CustomLog "|/home/foo/bin/uniqueip.pl" /home/foo/somefile.txt env=ddos

SetEnvIf Request_URI "/g.jpg" ddos

2) Very rudimentary perl script.....

#!/bin/perl

use FileHandle;

my %ips;

my ( $filename ) = @ARGV;

my $fh = new FileHandle ( ">$filename" ) || die "Can't open $filename:
$!\n";

while(<STDIN>) {
   my ( $ip ) = split(/ /);

   unless ( $ips{$ip}++ ) {
     print $fh "$ip\n";
   }
}

3 & 4) For ipfilter, add a "block in quick on eth0 from x.y.z.a to any"
rule, and reload.



 
> -----Original Message-----
> From: sgifford@suspectclass.com [mailto:sgifford@suspectclass.com]
> Sent: 10 November 2004 16:46
> To: users@httpd.apache.org
> Subject: [users@httpd] Mitigating DDoS attack
> 
> Hello,
> 
> www.gfn.org, the Web site of a nonprofit Internet provider I volunteer
> with (the Genesee Free-Net), is for some reason the target of a DDoS
> attack by the W32.Beagle.AV@mm worm:
> 
> 
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.h
> tml
> 
> Load on the machine is low but packet loss is very high, so I suspect
> we're running into bandwidth limits set by our provider.
> 
> The attack consists of many requests per second from hosts all over
> the Internet for http://www.gfn.org/g.jpg:
> 
>     194.25.169.106 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg
HTTP/1.1"
> 200 0
>     218.250.97.81 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
> 200 0
>     217.231.94.22 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
> 200 0
>     24.98.123.251 - - [10/Nov/2004:11:32:44 -0500] "GET
/sheriff/drug.htm
> HTTP/1.1" 200 0
>     213.13.23.5 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
200
> 0
>     65.118.179.130 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg
HTTP/1.1"
> 200 0
>     67.22.91.122 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
> 200 0
>     200.152.34.64 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
> 200 0
>     81.69.21.232 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
> 200 0
>     217.73.18.38 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg HTTP/1.1"
> 200 0
>     64.229.223.217 - - [10/Nov/2004:11:32:44 -0500] "GET /g.jpg
HTTP/1.1"
> 200 0
> 
> We've placed a 0-length file there to reduce the bandwidth consumed
> somewhat.  The worm appears to target the domain name, so changing the
> IP address probably won't help, and of course changing the domain name
> isn't an option because then our members couldn't find us.  This has
> been going on for about a week now, so waiting it out doesn't seem to
> be an option, and the attack is coming from many thousands of hosts,
> so blocking IPs or contacting their providers doesn't really seem to
> be an option.
> 
> If we could drop the connection with an RST packet as soon as we saw
> it was for /g.jpg that would save some bandwidth; is there a way to
> tell Apache to do this?
> 
> Does anybody have any ideas for mitigating this?
> 
> Thanks!
> 
> ----ScottG.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message