From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 21 18:50:56 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CB75216A4D0
	for <freebsd-questions@freebsd.org>;
	Wed, 21 Apr 2004 18:50:56 -0700 (PDT)
Received: from gw.visp.com.au (gw.visp.com.au [202.6.158.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EE61243D2F
	for <freebsd-questions@freebsd.org>;
	Wed, 21 Apr 2004 18:50:55 -0700 (PDT)
	(envelope-from george@visp.com.au)
Received: from beast.spyderweb.com.au (202-6-150-37.ip.visp.com.au
	[202.6.150.37] (may be forged))
	by gw.visp.com.au (8.12.8p2/8.12.8) with SMTP id i3M1owkH068394;
	Thu, 22 Apr 2004 11:20:58 +0930 (CST)
	(envelope-from george@visp.com.au)
Date: Thu, 22 Apr 2004 11:20:53 +0930
From: George Patterson <george@visp.com.au>
To: "meimi" <meimi_1@hotmail.com>
Message-Id: <20040422112053.3d256266@beast.spyderweb.com.au>
In-Reply-To: <BAY16-DAV52mvmsckqR0000625c@hotmail.com>
References: <200404212329.i3LNTYfM026056@himinbjorg.tucs-beachin-obx-house.com>
	<BAY16-DAV52mvmsckqR0000625c@hotmail.com>
X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: being DOSed
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2004 01:50:57 -0000

Meimi,

You you please get into the habit of bottom posting, it also reminds you to trim redundant or unnecessary text.

You could install Portsentry and set it to block the offending Ip addresses. Ain this situation, I wouldn't be too concerned with blocking the false positives. that is spoofed source addresses, as you need the DDOS attack to stop. later you can construct some firewall rules to monitor those addresses for any reoccurance.

The other solution you have is to unplug the network cable from your gateway router. That is if you have an ADSL router, unplug the router and not the network behind it. You need to make you network appear as though it has gone off line or moved ip addresses.

Otherwise I'd wish you good luck (I have been through this exercise myself, it's not nice :-( ).


George Patterson

On Thu, 22 Apr 2004 08:21:38 +0800
"meimi" <meimi_1@hotmail.com> wrote:

> I have found some IPs are opening 10 HTTP connection. Their IPs are
> changing and all IPs are from different ISP network.
> What should I do next?
> Thanks
> Meimi
> 
> 
> ----- Original Message ----- 
> From: "Tuc" <tuc@ttsg.com>
> To: "meimi" <meimi_1@hotmail.com>
> Sent: Thursday, April 22, 2004 7:29 AM
> Subject: Re: being DOSed
> 
> 
> > >
> > > Hello,
> > >   The bandwidth usage for my server is tripled for 3 hours. When I
> > >   run "top", I find many httpd process in sbwait status. So, I
> > >   think someone is DOSing my server. How can I check who is DOSing
> > >   me? and how can I solve it?
> > > Thanks
> > > Meimi
> >
> > Quickly :
> >
> > netstat -an | sort | grep tcp4|more
> >