From owner-freebsd-questions Sun Apr 2 19:12: 0 2000 Delivered-To: freebsd-questions@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1541037B799; Sun, 2 Apr 2000 19:11:56 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id WAA09945; Sun, 2 Apr 2000 22:11:53 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Sun, 2 Apr 2000 22:11:52 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: System Admin Cc: questions@freebsd.org, security@freebsd.org Subject: Re: MAJOR DDOS In-Reply-To: <200004021417660.SM00209@strictlyhosting.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 2 Apr 100, System Admin wrote: > I belive i am experiencing a major DDOS on port 80 .... 40+ Megs > inbound...... from all over, what is the fastest way to start protecting > this machine ???? and alleviate some of this traffic under 3.4 ???? Not enough information. Tell us something useful: is it a classic network-layer DoS such as a SYN attack, TCP segment flood, etc? Are real connections being built, are these randomly sourced packets? Are the source IPs randomized (unlikely if real connections are being built)? Is the limiting component here the web server CPU/state management? Router packet-pushing capacity? Link capacity? Is the target the application level? Before we can tell you anything that can help you defend yourself, you need to tell us what the problem is. How do you know you're being DoS'd? Is it adversely affecting performance/etc, or is it something you can sit out waiting for the attacker to get bored? Someone else has already suggested you go to your up-stream provider(s). This is a good idea--if you don't know what you're doing, there's a greater chance that they have experience in the area, as it may also be affecting their network performance et al, and would love to throttle the attack stream if they knew that it wasn't legitimate. If the attack is persistent and having serious effects, why haven't you contacted law enforcement, who have lately been showing relatively serious interest in tracking attacks such as these? Have you been attempting to gather evidence necessary for criminal prosecution, including packet traces, etc? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message