From owner-freebsd-questions@FreeBSD.ORG Wed Apr 21 19:26:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23E7616A4CE for ; Wed, 21 Apr 2004 19:26:56 -0700 (PDT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id C82F143D5D for ; Wed, 21 Apr 2004 19:26:55 -0700 (PDT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040422022655.UDDH21898.mta11.adelphia.net@barbish>; Wed, 21 Apr 2004 22:26:55 -0400 From: "JJB" To: "meimi" Date: Wed, 21 Apr 2004 22:26:54 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: freebsd-questions@freebsd.org Subject: RE: being DOSed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2004 02:26:56 -0000 Edit httpd.conf and change the port it listens on, or add firewall rule to block inbound port 80. check http log to id attacking ip's, look for recurring cycle in ip address and add firewall rule to block. Be sure your http logs are configured to rotate and not fill all disk space then just ride it out. If you use dynamic ip address, turn off you cable or dsl modem for 3 min and when you power back up hopefully you will be issued an new ip address. This will stop attach if attack is targeted directly at you ip address and not using dsn to find you. I use zoneedit to redirect my domain name to different port than 80 and that stopped all http dos attacked based on directly targeted ip address. In most cases the attacker has port scanned all ip address in some large range looking for port 80 and when found he records ip address to launch spoofed sending ip address attack directly at your ip address. Zoneedit.com is free for up to 5 domain names. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of meimi Sent: Wednesday, April 21, 2004 8:22 PM To: Tuc Cc: freebsd-questions@freebsd.org Subject: Re: being DOSed I have found some IPs are opening 10 HTTP connection. Their IPs are changing and all IPs are from different ISP network. What should I do next? Thanks Meimi ----- Original Message ----- From: "Tuc" To: "meimi" Sent: Thursday, April 22, 2004 7:29 AM Subject: Re: being DOSed > > > > Hello, > > The bandwidth usage for my server is tripled for 3 hours. When I run > > "top", I find many httpd process in sbwait status. So, I think someone is > > DOSing my server. > > How can I check who is DOSing me? and how can I solve it? > > Thanks > > Meimi > > Quickly : > > netstat -an | sort | grep tcp4|more > > Look for an IP with alot of connections. (We have a script that > actually will count this for us, but its not just for FreeBSD so its > long) > > Tuc/TTSG Internet Services, Inc. > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"