Date: Thu, 6 Mar 2008 18:00:14 +0200 From: "Adrian Penisoara" <ady@freebsd.ady.ro> To: Volker <volker@vwsoft.com> Cc: "kamolpat@dmaccess.net" <kamolpat@dmaccess.net>, freebsd-security@freebsd.org Subject: Re: DDOS problem from Bangkok, Thailand Message-ID: <78cb3d3f0803060800n22254040qcacb0aa1836f2179@mail.gmail.com> In-Reply-To: <47CFEBC6.20808@vwsoft.com> References: <47CFCE4C.7010200@dmaccess.net> <47CFEBC6.20808@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On Thu, Mar 6, 2008 at 3:04 PM, Volker <volker@vwsoft.com> wrote:
> On 03/06/08 11:58, kamolpat@dmaccess.net wrote:
> > Dear Security team,
> >
> > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the
> > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the
> > present, I decide to stop apache and leave only mail feature on
> > functioning. Any guide/recommend/solution will be appreciated.
> >
> > More detail about my server:
> > ======================
> > FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20
> >
> >
> > php.ini
> > ======
> > ;;;;;;;;;;;;;;;;;;;
> > ; Resource Limits ;
> > ;;;;;;;;;;;;;;;;;;;
> >
> > max_execution_time = 30 ; Maximum execution time of each script, in
> > seconds
> > max_input_time = 60 ; Maximum amount of time each script may spend
> > parsing r
> > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since
> > the cause of httpd-error.log, however, it still the error as the
> > following showed on httpd-error.log
> >
> >
> > FILE:/var/log/httpd-error.log
> > =====================
> > Allowed memory size of 33554432 bytes exhausted .... happend like this
> > all over the log
> >
> > Thanks in Advanced,
> > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd.
>
> Kamolpat,
>
> without being a member of the secteam, I like to jump in here.
>
> ${subject} contains "DDoS" but I don't see any signs of a DDoS from what
> you're describing. Sure it might be a DoS attack but that needs
> carefully inspection of your log file (look for specially crafted URLs
> being requested).
>
> To me, exhausted memory situations are more likely looking like
> application problems (read as: bad code). With just that exhausted
> memory message given, it's guesswork to tell more but you may want to
> check PHP's bug database.
>
>
Hmm, I'm wandering -- if you see a simple SYN flood attack (just opening
connections without sending an HTTP request) then you should try enabling
the accf_http(9) mechanism in kernel and using the " AcceptFilter http"
Apache configuration.
My 5 cents,
Adrian Penisoara
ROFUG / EnterpriseBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78cb3d3f0803060800n22254040qcacb0aa1836f2179>