Date: Thu, 15 Nov 2001 22:30:32 -0800 (PST) From: xmen koh <xmenkoh@yahoo.com> To: freebsd-security@FreeBSD.ORG Subject: How to stop DoS Attack?? Message-ID: <20011116063032.77688.qmail@web20904.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear security expert, Recently I got a DoS on my web server. Does anyone know how to stop a DoS attack and prevent it from happen again? Some help will be appreciated to explain the below TCPDump which I got during the attack. Here are some of my finding during the attack... 1) There are a lot of connection from different IP at the same time, which tries to overload the system using HTTP by non- stop requests of URLs. Below is the TCPDUMP. 2) The URLs requested as logged by the web server log seems to be quite valid, indicating that the attacker has studied the victim web site and many of these requests are for graphic files, indicating a planned intention to clog up the server & network. 3) Many source IPs, suspected all to be forged. 4) A very close time between each packet timestamp indicates a script is used for this attack. TCPDump: ----------------- Cut here --------------------------------- 21:11:59.268725 218.65.139.107.1051 > universe.victim.com.http: . 855733:855733(0) ack 1145547825 win 8576 (DF) (ttl 113, id 17921) 21:11:59.435873 universe.victim.com.http > 61.138.72.193.64687: P 1141631107:1141632162(1055) ack 7558792 win 17520 (DF) (ttl 64, id 12488) 21:11:59.662313 218.65.139.107.1051 > universe.victim.com.http: . 0:0(0) ack 537 win 8576 (DF) (ttl 113, id 18177) 21:12:00.178267 172.17.7.112.bootpc > 255.255.255.255.bootps: xid:0x680e984d secs:9795 flags:0x8000 [|bootp] (ttl 128, id 47690) 21:12:00.181566 0.0.0.0.bootpc > 255.255.255.255.bootps: secs:35127 [|bootp] (ttl 255, id 51891) 21:12:00.257071 universe.victim.com.1086 > dns1.domain: 50255+ PTR? 107.139.65.218.in-addr.arpa. (45) (ttl 64, id 12489) 21:12:00.301857 61.158.24.149.2707 > universe.victim.com.http: R 7549234:7549234(0) win 0 (DF) (ttl 114, id 4495) 21:12:00.425976 universe.victim.com.http > 61.146.105.9.1029: F 1143393049:1143393049(0) ack 68266 win 16616 (DF) (ttl 64, id 12490) 21:12:00.607501 dns1.domain > universe.victim.com.1086: 50255 NXDomain* q: 107.139.65.218.in-addr.arpa. 0/1/0 (133) (ttl 64, id 26014) 21:12:00.608060 universe.victim.com.1087 > dns1.domain: 50256+ PTR? 193.72.138.61.in-addr.arpa. (44) (ttl 64, id 12491) 21:12:00.608380 dns1.domain > universe.victim.com.1087: 50256 NXDomain q: 193.72.138.61.in-addr.arpa. 0/1/0 (132) (ttl 64, id 26015) 21:12:00.608786 universe.victim.com.1088 > dns1.domain: 50257+ PTR? 112.7.17.172.in-addr.arpa. (43) (ttl 64, id 12492) 21:12:00.609048 dns1.domain > universe.victim.com.1088: 50257 NXDomain* q: 112.7.17.172.in-addr.arpa. 0/1/0 (98) (ttl 64, id 26016) 21:12:00.897316 61.146.105.9.1029 > universe.victim.com.http: . 1:1(0) ack 1 win 6432 (DF) (ttl 47, id 31744) 21:12:01.564885 61.138.72.193.64687 > universe.victim.com.http: P 1:243(242) ack 1055 win 8760 (DF) (ttl 113, id 48854) 21:12:01.565525 universe.victim.com.http > 61.138.72.193.64687: . 1055:2515(1460) ack 243 win 17520 (DF) (ttl 64, id 12493) 21:12:01.565556 universe.victim.com.http > 61.138.72.193.64687: P 2515:3746(1231) ack 243 win 17520 (DF) (ttl 64, id 12494) 21:12:01.606465 universe.victim.com.1089 > dns1.domain: 50258+ PTR? 149.24.158.61.in-addr.arpa. (44) (ttl 64, id 12495) 21:12:01.617176 202.109.240.34.38528 > universe.victim.com.http: S 8997578:8997578(0) win 8192 <mss 1414,nop,nop,sackOK> (DF) (ttl 114, id 19238) 21:12:01.617258 universe.victim.com.http > 202.109.240.34.38528: S 1149696038:1149696038(0) ack 8997579 win 16968 <mss 1460> (DF) (ttl 64, id 12496) 21:12:01.785893 universe.victim.com.http > 211.93.83.21.9116: . 1147469686:1147469687(1) ack 20552574 win 17520 (DF) (ttl 64, id 12497) 21:12:01.823491 202.109.240.34.38528 > universe.victim.com.http: . 1:1(0) ack 1 win 1414 (DF) (ttl 114, id 22822) 21:12:01.839369 202.109.240.34.38528 > universe.victim.com.http: P 1:302(301) ack 1 win 8484 (DF) (ttl 114, id 23590) 21:12:01.840166 universe.victim.com.http > 202.109.240.34.38528: P 1:678(677) ack 302 win 16968 (DF) (ttl 64, id 12498) 21:12:01.978307 211.97.70.65.12656 > universe.victim.com.http: S 470548359:470548359(0) win 8192 <mss 1460,nop,nop,sackOK> (ttl 14, id 56864) 21:12:01.978374 universe.victim.com.http > 211.97.70.65.12656: S 1149866959:1149866959(0) ack 470548360 win 17520 <mss 1460> (DF) (ttl 64, id 12499) 21:12:02.130537 61.143.113.18.1029 > universe.victim.com.http: S 1530859:1530859(0) win 7168 <mss 536,nop,nop,sackOK> (ttl 241, id 3328) 21:12:02.130607 universe.victim.com.http > 61.143.113.18.1029: S 1149911075:1149911075(0) ack 1530860 win 16616 <mss 1460> (DF) (ttl 64, id 12500) 21:12:02.222128 202.109.240.34.38528 > universe.victim.com.http: . 302:302(0) ack 678 win 7807 (DF) (ttl 114, id 30758) 21:12:02.343543 dns1.domain > universe.victim.com.1089: 50258 NXDomain* q: 149.24.158.61.in-addr.arpa. 0/1/0 (132) (ttl 64, id 26022) 21:12:02.343951 universe.victim.com.1090 > dns1.domain: 50259+ PTR? 9.105.146.61.in-addr.arpa. (43) (ttl 64, id 12501) 21:12:02.453250 211.97.70.65.12656 > universe.victim.com.http: . 1:1(0) ack 1 win 1460 (ttl 14, id 57376) 21:12:02.455759 211.97.70.65.12656 > universe.victim.com.http: P 1:213(212) ack 1 win 8192 (ttl 14, id 57632) 21:12:02.456752 universe.victim.com.http > 211.97.70.65.12656: P 1:461(460) ack 213 win 17520 (DF) (ttl 64, id 12502) 21:12:02.471451 211.93.83.21.9116 > universe.victim.com.http: . 1:1(0) ack 1 win 8759 (DF) (ttl 114, id 43495) 21:12:02.471491 universe.victim.com.http > 211.93.83.21.9116: P 1:1435(1434) ack 1 win 17520 (DF) (ttl 64, id 12503) 21:12:02.525194 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: S 170636440:170636440(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 112, id 3296) 21:12:02.525288 universe.victim.com.http > 61-217-184-228.HINET-IP.hinet.net.1205: S 1150083763:1150083763(0) ack 170636441 win 16968 <mss 1460> (DF) (ttl 64, id 12504) 21:12:02.551978 61.143.113.18.1029 > universe.victim.com.http: . 1:1(0) ack 1 win 536 (ttl 241, id 4096) 21:12:02.659832 202.109.240.34.38528 > universe.victim.com.http: P 302:515(213) ack 678 win 7807 (DF) (ttl 114, id 34086) 21:12:02.660662 universe.victim.com.http > 202.109.240.34.38528: P 678:1141(463) ack 515 win 16968 (DF) (ttl 64, id 12505) 21:12:02.752176 61.143.113.18.1029 > universe.victim.com.http: P 1:248(247) ack 1 win 7168 (ttl 241, id 4864) 21:12:02.752877 universe.victim.com.http > 61.143.113.18.1029: . 1:537(536) ack 248 win 16616 (DF) (ttl 64, id 12506) 21:12:02.752897 universe.victim.com.http > 61.143.113.18.1029: P 537:676(139) ack 248 win 16616 (DF) (ttl 64, id 12507) 21:12:02.942761 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: . 1:1(0) ack 1 win 1414 (DF) (ttl 112, id 3305) 21:12:03.010518 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: P 1:383(382) ack 1 win 16968 (DF) (ttl 112, id 3306) 21:12:03.011245 universe.victim.com.http > 61-217-184-228.HINET-IP.hinet.net.1205: P 1:678(677) ack 383 win 16968 (DF) (ttl 64, id 12508) 21:12:03.057518 211.97.70.65.12656 > universe.victim.com.http: P 213:563(350) ack 461 win 7732 (ttl 14, id 58400) 21:12:03.058020 universe.victim.com.http > 211.97.70.65.12656: P 461:656(195) ack 563 win 17520 (DF) (ttl 64, id 12509) 21:12:03.104494 202.109.240.34.38528 > universe.victim.com.http: P 515:777(262) ack 1141 win 7344 (DF) (ttl 114, id 38182) 21:12:03.104946 universe.victim.com.http > 202.109.240.34.38528: . 1141:2555(1414) ack 777 win 16968 (DF) (ttl 64, id 12510) 21:12:03.104993 universe.victim.com.http > 202.109.240.34.38528: . 2555:3969(1414) ack 777 win 16968 (DF) (ttl 64, id 12511) 21:12:03.105039 universe.victim.com.http > 202.109.240.34.38528: . 3969:5383(1414) ack 777 win 16968 (DF) (ttl 64, id 12512) 21:12:03.105062 universe.victim.com.http > 202.109.240.34.38528: . 5383:6797(1414) ack 777 win 16968 (DF) (ttl 64, id 12513) 21:12:03.268298 61.146.105.9.1029 > universe.victim.com.http: R 68266:68266(0) win 0 (DF) (ttl 47, id 38656) 21:12:03.296292 61.143.113.18.1029 > universe.victim.com.http: . 248:248(0) ack 1 win 7168 (ttl 241, id 5888) 21:12:03.371321 61.143.113.18.1029 > universe.victim.com.http: . 248:248(0) ack 676 win 7168 (ttl 241, id 6144) 21:12:03.465925 universe.victim.com.http > 211.93.83.21.9116: P 1:1435(1434) ack 1 win 17520 (DF) (ttl 64, id 12514) 21:12:03.529481 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 3969 win 8484 (DF) (ttl 114, id 43302) 21:12:03.529527 universe.victim.com.http > 202.109.240.34.38528: . 6797:8211(1414) ack 777 win 16968 (DF) (ttl 64, id 12515) 21:12:03.529555 universe.victim.com.http > 202.109.240.34.38528: . 8211:9625(1414) ack 777 win 16968 (DF) (ttl 64, id 12516) 21:12:03.529583 universe.victim.com.http > 202.109.240.34.38528: . 9625:11039(1414) ack 777 win 16968 (DF) (ttl 64, id 12517) 21:12:03.574347 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 6797 win 8484 (DF) (ttl 114, id 43558) 21:12:03.574409 universe.victim.com.http > 202.109.240.34.38528: . 11039:12453(1414) ack 777 win 16968 (DF) (ttl 64, id 12518) 21:12:03.574435 universe.victim.com.http > 202.109.240.34.38528: . 12453:13867(1414) ack 777 win 16968 (DF) (ttl 64, id 12519) 21:12:03.574461 universe.victim.com.http > 202.109.240.34.38528: . 13867:15281(1414) ack 777 win 16968 (DF) (ttl 64, id 12520) 21:12:03.585839 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: . 383:383(0) ack 678 win 16291 (DF) (ttl 112, id 3333) 21:12:03.665926 universe.victim.com.http > 218.65.139.107.1051: . 537:1073(536) ack 0 win 16616 (DF) (ttl 64, id 12521) 21:12:03.762617 211.97.70.65.12656 > universe.victim.com.http: . 563:563(0) ack 656 win 8192 (ttl 14, id 58912) 21:12:03.895987 218.65.137.168.1622 > universe.victim.com.http: S 22586894:22586894(0) win 8192 <mss 536,nop,nop,sackOK> (DF) (ttl 113, id 60204) 21:12:03.896062 universe.victim.com.http > 218.65.137.168.1622: S 1150430160:1150430160(0) ack 22586895 win 16616 <mss 1460> (DF) (ttl 64, id 12522) 21:12:03.966719 211.93.83.21.9116 > universe.victim.com.http: . 368:368(0) ack 1435 win 7325 (DF) (ttl 114, id 47847) 21:12:04.101529 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 9625 win 8484 (DF) (ttl 114, id 45094) 21:12:04.101581 universe.victim.com.http > 202.109.240.34.38528: . 15281:16695(1414) ack 777 win 16968 (DF) (ttl 64, id 12523) 21:12:04.101607 universe.victim.com.http > 202.109.240.34.38528: . 16695:18109(1414) ack 777 win 16968 (DF) (ttl 64, id 12524) 21:12:04.223915 61.143.113.18.1029 > universe.victim.com.http: P 248:460(212) ack 676 win 7168 (ttl 241, id 6400) 21:12:04.224797 universe.victim.com.http > 61.143.113.18.1029: P 676:1154(478) ack 460 win 16616 (DF) (ttl 64, id 12525) 21:12:04.245181 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 12453 win 8484 (DF) (ttl 114, id 45350) 21:12:04.245212 universe.victim.com.http > 202.109.240.34.38528: P 18109:18550(441) ack 777 win 16968 (DF) (ttl 64, id 12526) 21:12:04.313373 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 15281 win 8484 (DF) (ttl 114, id 45862) 21:12:04.393548 218.65.139.107.1051 > universe.victim.com.http: . 0:0(0) ack 5855 win 8576 (DF) (ttl 113, id 30721) 21:12:04.466037 universe.victim.com.http > 202.109.240.34.38510: F 1145734464:1145734464(0) ack 8983358 win 16968 (DF) (ttl 64, id 12527) 21:12:04.522510 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 18109 win 8484 (DF) (ttl 114, id 46118) 21:12:04.655950 universe.victim.com.http > nosgp1.x-link.za.net.dectalk: FP 1147610670:1147611210(540) ack 1307333101 win 17520 (DF) (ttl 64, id 12528) 21:12:04.768022 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 18550 win 8043 (DF) (ttl 114, id 46630) 21:12:04.812669 202.109.240.34.38510 > universe.victim.com.http: . 1:1(0) ack 1 win 8484 (DF) (ttl 114, id 46886) 21:12:05.029121 61.143.113.18.1029 > universe.victim.com.http: . 460:460(0) ack 1154 win 6690 (ttl 241, id 8448) 21:12:05.087460 61.143.113.18.1029 > universe.victim.com.http: P 460:719(259) ack 1154 win 6690 (ttl 241, id 8960) 21:12:05.087862 universe.victim.com.http > 61.143.113.18.1029: . 1154:1690(536) ack 719 win 16616 (DF) (ttl 64, id 12529) 21:12:05.087882 universe.victim.com.http > 61.143.113.18.1029: . 1690:2226(536) ack 719 win 16616 (DF) (ttl 64, id 12530) 21:12:05.087900 universe.victim.com.http > 61.143.113.18.1029: . 2226:2762(536) ack 719 win 16616 (DF) (ttl 64, id 12531) 21:12:05.087941 universe.victim.com.http > 61.143.113.18.1029: . 2762:3298(536) ack 719 win 16616 (DF) (ttl 64, id 12532) 21:12:05.197093 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: P 383:601(218) ack 678 win 16291 (DF) (ttl 112, id 3391) 21:12:05.197955 universe.victim.com.http > 61-217-184-228.HINET-IP.hinet.net.1205: P 678:1141(463) ack 601 win 16968 (DF) (ttl 64, id 12534) 21:12:05.406911 211.97.70.65.12656 > universe.victim.com.http: R 470548922:470548922(0) win 0 (ttl 14, id 59424) 21:12:05.771962 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: . 601:601(0) ack 1141 win 15828 (DF) (ttl 112, id 3427) 21:12:05.852457 61.143.113.18.1029 > universe.victim.com.http: . 719:719(0) ack 2226 win 7168 (ttl 241, id 10752) 21:12:05.852505 universe.victim.com.http > 61.143.113.18.1029: . 3298:3834(536) ack 719 win 16616 (DF) (ttl 64, id 12535) 21:12:05.852525 universe.victim.com.http > 61.143.113.18.1029: . 3834:4370(536) ack 719 win 16616 (DF) (ttl 64, id 12536) 21:12:05.852544 universe.victim.com.http > 61.143.113.18.1029: . 4370:4906(536) ack 719 win 16616 (DF) (ttl 64, id 12537) 21:12:05.951087 nosgp1.x-link.za.net.dectalk > universe.victim.com.http: R 1307333101:1307333101(0) win 0 (ttl 47, id 49171) ---------------------- Cut Here ---------------------------- Any help will be much appreciated, and Thanks in advance... xmenkoh. __________________________________________________ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116063032.77688.qmail>