Date: Thu, 6 Mar 2008 18:00:14 +0200 From: "Adrian Penisoara" <ady@freebsd.ady.ro> To: Volker <volker@vwsoft.com> Cc: "kamolpat@dmaccess.net" <kamolpat@dmaccess.net>, freebsd-security@freebsd.org Subject: Re: DDOS problem from Bangkok, Thailand Message-ID: <78cb3d3f0803060800n22254040qcacb0aa1836f2179@mail.gmail.com> In-Reply-To: <47CFEBC6.20808@vwsoft.com> References: <47CFCE4C.7010200@dmaccess.net> <47CFEBC6.20808@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Thu, Mar 6, 2008 at 3:04 PM, Volker <volker@vwsoft.com> wrote: > On 03/06/08 11:58, kamolpat@dmaccess.net wrote: > > Dear Security team, > > > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > > present, I decide to stop apache and leave only mail feature on > > functioning. Any guide/recommend/solution will be appreciated. > > > > More detail about my server: > > ====================== > > FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 > > > > > > php.ini > > ====== > > ;;;;;;;;;;;;;;;;;;; > > ; Resource Limits ; > > ;;;;;;;;;;;;;;;;;;; > > > > max_execution_time = 30 ; Maximum execution time of each script, in > > seconds > > max_input_time = 60 ; Maximum amount of time each script may spend > > parsing r > > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > > the cause of httpd-error.log, however, it still the error as the > > following showed on httpd-error.log > > > > > > FILE:/var/log/httpd-error.log > > ===================== > > Allowed memory size of 33554432 bytes exhausted .... happend like this > > all over the log > > > > Thanks in Advanced, > > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd. > > Kamolpat, > > without being a member of the secteam, I like to jump in here. > > ${subject} contains "DDoS" but I don't see any signs of a DDoS from what > you're describing. Sure it might be a DoS attack but that needs > carefully inspection of your log file (look for specially crafted URLs > being requested). > > To me, exhausted memory situations are more likely looking like > application problems (read as: bad code). With just that exhausted > memory message given, it's guesswork to tell more but you may want to > check PHP's bug database. > > Hmm, I'm wandering -- if you see a simple SYN flood attack (just opening connections without sending an HTTP request) then you should try enabling the accf_http(9) mechanism in kernel and using the " AcceptFilter http" Apache configuration. My 5 cents, Adrian Penisoara ROFUG / EnterpriseBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78cb3d3f0803060800n22254040qcacb0aa1836f2179>