SitePoint Sponsor

User Tag List

Results 1 to 21 of 21
  1. #1
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    SYN Attach – Thousands Of Request A Second – Maybe Hacked – Don’t Know – Help!

    Hi All,

    For the last 6 months our site has been under severe brute force, syn flood attack. They keep bombarding a single URL of the server and it is xml file. They are not attacking any other URL.

    We have removed the xml page from our site but still they keep on sending requests, this is for the last 6 months non stop.

    The IP has been changed just to see and they are sending several thousand requests per second. The requests come from different IPS and different ranges, so you can not even block the IP’s. They seem to be coming from a legitimate IP’s.

    Due to this I have had to pay for an extremely expensive server which holds 8 GB of RAM and quad core processor etc, however, even with this the server still reaches critical level, just because these requests are eating up my resources.

    Our technical team has been working on all aspects of apache server security, external modules, firewall, hardware firewall from beginning but still we are not able to stop them.

    We have installed following modules.

    1) mod_security
    2) mod_evasive
    3) Firewall

    We have worked with the hosting company and their technical team leader, he installed the best CISCO hardware firewall and tried to stop them, but in vain.

    We have checked our server to see if anything from our site is causing the request, no extra file uploaded on to the server. For example if some file has been upload or some text has been added to the file (checked if we’ve been hacked). Even though we checked for any hacks, I am still wondering if there is something we do not know about. Can a hack lead to huge amounts of traffic?

    We need some help to stop these attacks. We have searched a lot and have found that sites that get attacked like this have only one option is to shut down till it stops. I really hope that will not be the case for us. Please let us know if any one has any ideas to deal with this.

    We are willing to try any small suggestion which might help from coding to scripting to modules to firewall. So please provide suggestion/solutions and way to get us out of this.

    Also could it be our own part of php code which can do this? We are ready to check every php file to make sure it does not have any line of code which can be dangerous?

    Thank you for your help in advance! Help!

    Regards,

    Sam

  2. #2
    ¬.¬ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    The source IP of the SYN Packets is most likely forged. In the case of a SYN Flooding the attacker cares not of reviving the ACK from the server.

    This article may be of use to you: http://www.securityfocus.com/infocus/1729
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    @logic_earth

    Yes, it seems that there is single IP and when they send the request, it is coming from different Ip ranges with no referrer. I have read the article and working my technical linux team to try this out.

    Also they are sending request and we provide them 404 however as you said, they don't care for the ACK. They just want to send requests.

    I will keep updating the forum with latest details. Also please keep giving suggestions to sort this out.

    Thanks

    Sam

  4. #4
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You say they hit a single url. How dynamic is the content of said url? Could you cache it (even if just for a few seconds)? In that case, you could set up a http-cache such as squid. This should take the load of your web server. Of course you still have to handle the load, but at least it evens the game a bit, as the attacker would have to spend much more resources to put you under load. If you don't want/can't set up squid, you could perhaps render the file to a static file and have Apache serve it directly without involving something like php (Assuming you are now). That should take off some load as well.

  5. #5
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Thanks for the details. The server already is getting critical because of these issue and Squid will add load for them.

    Still I will talk to my other team members for this option and to see if this can sort out the issue.

    Also, we have updated the firewall for few IP rules but in vain. Also 2-3 questions that have come to us are can it be a Virus or any malware which causes this?

    We have the antivirus installed on our dedicated server and its saying server is fine, however, if needed we can try for new ones no matter for paid ones.

    I am still doubting for any php code which can cause such things but I am not able to find anything regarding this.

    however, we are trying and of anyone has any suggestion, please share them with us.

    Thanks

    Sam

  6. #6
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You said "SYN flood attack", right? If it were SYN flood attack, you would not know which page they are targeting, because syn flood means that TCP session pool is overloaded with false SYN requests (only the first SYN packet is sent and no other info).

    Consider reading about this attack:
    http://ha.ckers.org/blog/20090617/slowloris-http-dos/

  7. #7
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Thanks for the details, however, I have reviewed it before and have checked for all information which can help to stop.

    Any idea for malware or own server issues?

    Sam

  8. #8
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Just finished checking full server again, no unintentional file or code on the server.

    Also, anyone has idea regarding the Firewall which drops request at entry point for specific URL request? Currently we have tried are IP and pattern based only to slow down the attack, however, they are being smarter and keep generating new bunch of IP address.

    Sam

  9. #9
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi!

    Have they contacted you? What gain do they get from DDoSing you?

    Do these HTTP requests have an referrer (probably not, but still)? Maybe they have included your xml page as <img src="yoursite.si/yourpage.xml"> in a busy forums/webpages and with enough amount of visitors - they are unbeknownst to them overloading your site with these requests.

    What type of firewall you have? Some of them are capable of URL level filtering while others are not.

    What was your setup for mod_security and mod_evasive? They should have dealt with problem to some extent.

  10. #10
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Aleksejs,

    No one has contacted us and these attackers do not have any objective, they want to destroy only.

    Not getting any referrers within the log file, only bunch of IPs.

    We are using "APF" firewall of server and for now have removed hard firewall.

    you have any idea then let me know as i m looking for such firewall which does entry level and i can set for which url of my site, i do not want to allow any connection.

    Following is some of details from access log and also the setups of server configurations.

    OS - RHEL5
    kernels - 2.6.18-92.1.22.el5-x86_64
    2.6.18-92.el5-x86_64

    rpms:-
    kernel-devel-2.6.18-92.el5
    kernel-headers-2.6.18-92.1.22.el5
    kernel-devel-2.6.18-92.1.22.el5
    kernel-2.6.18-92.1.22.el5
    kernel-2.6.18-92.el5

    OS Type:
    cat /etc/issue
    Red Hat Enterprise Linux Server release 5.2 (Tikanga)
    > cat /proc/version
    Linux version 2.6.18-92.1.22.el5 (mockbuild@hs20-bc2-5.build.redhat.com) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) #1 SMP Fri Dec 5 09:28:22 EST 2008

    We are providing 403 code for the URL request.

    netstat:

    tcp 0 0 domain.com:http 85-156-91-20.elisa-mo:55168 SYN_RECV
    tcp 0 0 domain.com:http 220.255.7.227:27183 SYN_RECV
    tcp 0 0 domain.com:http 5e03cbc4.bb.sky.com:51086 SYN_RECV
    tcp 0 0 domain.com:http 79.126.234.198:18139 SYN_RECV
    tcp 0 0 domain.com:http 78.148.175.148:11115 SYN_RECV
    tcp 0 0 domain.com:http 83-154-143-68.rev.lib:61479 SYN_RECV
    tcp 0 0 domain.com:http ABTS-North-Static-248:54775 SYN_RECV
    tcp 0 0 domain.com:http 90-230-131-95-no130.tb:1134 SYN_RECV
    tcp 0 0 domain.com:http static-host119-73-6-2:49538 SYN_RECV
    tcp 0 0 domain.com:http 222.127.130.238:gtp-control SYN_RECV
    tcp 0 0 domain.com:http acl1-1571bts.gw.smartbr:g5m SYN_RECV
    tcp 0 0 domain.com:http athedsl-282427.home.o:60002 SYN_RECV
    tcp 0 0 domain.com:http CPE-58-166-77-138.nsw:60067 SYN_RECV
    tcp 0 0 domain.com:http C-59-101-99-107.syd.c:51097 SYN_RECV
    tcp 0 0 domain.com:http ti0111a380-2667.bb.on:60993 SYN_RECV
    tcp 0 0 domain.com:http 92.81.2.242:60451 SYN_RECV
    tcp 0 0 domain.com:http 118.100.120.248server SYN_RECV
    tcp 0 0 domain.com:http triband-del-59.178.84:50140 SYN_RECV
    tcp 0 0 domain.com:http cpc4-leds5-0-0-cust82brpd SYN_RECV
    tcp 0 0 domain.com:http ALyon-153-1-8-78.w86-:59494 SYN_RECV
    tcp 0 0 domain.com:http 120.28.199.183:3comnetman SYN_RECV
    tcp 0 0 domain.com:http h248.4.16.98.dynamic.:60758 SYN_RECV
    tcp 0 0 domain.com:http 89.211.205.59:64217 SYN_RECV
    tcp 0 0 domain.com:http CPE-124-187-26-30.qld:ff-sm SYN_RECV
    tcp 0 0 domain.com:http frw.Gloworld.com:59104 SYN_RECV
    tcp 0 0 domain.com:http 220.255.7.182:winpoplanmess SYN_RECV
    tcp 0 0 domain.com:http srisaionline180.excell:1232 SYN_RECV
    tcp 0 0 domain.com:http CPE-60-230-16-150.vic:52611 SYN_RECV
    tcp 0 0 domain.com:http 203.82.91.102:41318 SYN_RECV
    tcp 0 0 domain.com:http 69.171.165.50:32454 SYN_RECV
    tcp 0 0 domain.com:http dsl-TN-static-195.:corbaloc SYN_RECV
    tcp 0 0 domain.com:http 210.186.66.179:49330 SYN_RECV
    tcp 0 0 domain.com:http ABTS-North-Dinuexpansion3 SYN_RECV
    tcp 0 0 domain.com:http c122-106-133-46.livrp:49273 SYN_RECV
    tcp 0 0 domain.com:http 173.subnet125-1:nssalertmgr SYN_RECV
    tcp 0 0 domain.com:http 121.246.52.30.dynamic:63977 SYN_RECV
    tcp 0 0 domain.com:http mobile-3G-dyn-BC-179-1:4464 SYN_RECV
    tcp 0 0 domain.com:http crd48.neoplus.adsl.t:aminet SYN_RECV


    Following we have done till now is mentioned below for the configurations.

    ###############
    sysctl.conf

    ##############
    # Kernel sysctl configuration file for Red Hat Linux
    #
    # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
    # sysctl.conf(5) for more details.

    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0

    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1

    # Do not accept source routing
    net.ipv4.conf.default.accept_source_route = 0

    # Controls the System Request debugging functionality of the kernel
    kernel.sysrq = 0

    # Controls whether core dumps will append the PID to the core filename
    # Useful for debugging multi-threaded applications
    kernel.core_uses_pid = 1

    # Controls the use of TCP syncookies
    net.ipv4.tcp_syncookies = 1

    # Controls the maximum size of a message, in bytes
    kernel.msgmnb = 65536

    # Controls the default maxmimum size of a mesage queue
    kernel.msgmax = 65536

    # Controls the maximum shared segment size, in bytes
    kernel.shmmax = 68719476736

    # Controls the maximum number of shared memory segments, in pages
    kernel.shmall = 4294967296
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_synack_retries = 2
    # Enable IP spoofing protection, turn on Source Address Verification
    net.ipv4.conf.all.rp_filter = 1
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1

    # 65536 seems to be the max it will take
    net.ipv4.ip_conntrack_max = 1048576
    net.ipv4.tcp_rmem = 4096 87380 8388608
    net.ipv4.tcp_wmem = 4096 87380 8388608
    net.core.rmem_max = 8388608
    net.core.wmem_max = 8388608
    net.core.netdev_max_backlog = 5000
    net.ipv4.tcp_window_scaling = 1


    #############
    fwsnort, bfd burnintest chkrootkit ddos faf lsm nobody_check sim apf

    #############
    modsecurity-apache

    LoadModule evasive20_module /usr/lib64/httpd/modules/mod_evasive20.so

    <IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 3
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 30
    </IfModule>

    LoadModule security_module /usr/lib64/httpd/modules/mod_security.so



    <IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 3
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 30
    </IfModule>


    --------------------------------

    Hope, this will help you to check further.

    Sam

  11. #11
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also,

    Following is part of access log.

    94.70.118.139 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; CT2077543_4.5.188.7)"
    89.216.230.148 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; sr; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
    82.81.54.226 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; CT2077543_4.5.191.15)"
    85.229.15.86 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 2.0.50727; CT2088752_4.5.188.7)"
    92.237.189.17 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
    84.106.127.218 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; eSobiSubscriber 2.0.4.16; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618; CT2088433_4.5.188.7)"
    87.93.30.98 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; CT2088347_4.5.188.7)"
    93.86.61.247 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.0" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; CT2077543_4.5.188.7)"
    91.152.228.27 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; Creative ZENcast v2.00.13; CT2088347_4.5.188.7)"
    94.69.164.32 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727; CT2088700_4.5.191.15)"
    82.201.180.177 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; CT2077543_4.5.189.28)"
    83.248.2.230 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SIMBAR={46BC3752-9118-483D-8E88-CD3E89FCD192}; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; CT2088752_4.5.188.7)"
    99.235.137.30 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; CT2077543_4.5.191.15)"
    216.155.136.84 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; CT2077543_4.5.188.7)"
    217.123.166.205 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618; CT2088433_4.5.188.7)"
    86.96.227.88 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; CT2077543_4.5.188.7)"
    203.115.189.77 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; CT2077543_1.5.48.2; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
    203.82.79.102 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; CT2088347_4.5.188.7)"
    88.195.52.126 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; CT2088347_4.5.189.24)"
    77.81.114.171 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; SIMBAR={B471FCBA-22ED-11DE-91A3-00196693641D}; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; CT2077543_4.5.191.15)"
    92.84.250.65 - - [11/Jun/2009:04:46:32 -0500] "GET /rss/test.xml HTTP/1.1" 403 292 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; CT2077543_4.5.191.15)"


    ------------------
    Sam

  12. #12
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Since you are going to great lengths to stop this can't you have some kind of preprocessor that will drop any requests to this test.xml file before it reaches the server ?

  13. #13
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Are you telling for some intermediate server or processor? I have not think much for this. Can you please provide some details regarding this?? It will be a great help. Also pls provide steps to achieve this and also the drawbacks for same if there are.

    Also following are the updates,

    Scanned the server with rootkit antispyware, no infection found. Regarding the firewall, put on BFD firewall over APF, still requests are not getting down.

    Also IP table is getting full of new ips and it keeps network slow. Please advice.

    Sam

  14. #14
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    kyberfabrikken's suggestion is a good one though I'd use HAProxy rather than squid. HAProxy will deal with each request with a much lower overhead per request than apache, and will not allow malformed requests through. By the time you have let through a request to apache, you are going to use far more resources even if the response is a 404.

  15. #15
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi @EastCoast,

    is HAProxy works as some hardware device or is it some plugin? If its plugin, Again it will allow request to touch server then doing process.

    Can u give some details for same?? I also reviewed it in detail but not getting convince to use it.

    Thanks

    Sam

  16. #16
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    HAProxy is a software load balancer/reverse proxy. You would have this as the front end application that processes incoming requests, and then (if valid) passes them through to apache. The point of the exercise is that for a given single incoming request, it can be processed and if necessary rejected for a smaller amount of system resources than allowing apache to process the same request. If you read the applications page you can see how it mitigates attacks such as the recent 'slowloris' exploit by rejecting malformed requests, which would otherwise overwhelm apache. Without full clarification of your attack methodology I couldn't definitively say whether it'd be effective or not.
    I'd also mention that you need better people configuring your external firewall if they haven't managed to block a request for a specific file - this should be extremely simple with the 'best CISCO hardware firewall' , which leads to me to suspect your hosting company aren't giving you the full picture, or don't have a qualified individual to operate it.

  17. #17
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    Hey. Look up DEVICE POLLING for your architechture. I use it on my freebsd server. You can enabled it at the kernel level, and at the device level on certain devices (we're talking about network cards). What it does is put a queue on the input in terms of how many requests a second it can handle. FIFO style, anything else delivered in that time is dropped and completely ignored. You pick a threshold that keeps your server running smooth and still allows your real users to browse your sites.

    This is a good doc, even if it's for freebsd, you can get some good info out of it for linux also.
    http://silverwraith.com/papers/freebsd-tuning.php

  18. #18
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    @EastCoast,
    Thanks for all these details. They provided me a clear picture for HAProxy, we will surly see for this option and whether it slow/stops the request or not.

    Also we have dedicated server, we provided our full site to the hosting company to stop this attack, they tried for few days to stop the attack and they sent all details for same including firewall and other modules tried for same.

    We also verified all the stuff too once they did the setup regarding the technical aspects and all was fine.

    @Serenarules,
    All the settings are done and that is why site is running, we want to stop the request touching the server. Thanks for the updates.

    Sam

  19. #19
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Sam,

    to block your SYN flood, you need to have a large enough SYN backlog so that your server still accepts normal connections, but not too large so that it can use SYN cookies (typically between 5000 to 20000). For this you need to set both net.core.somaxconn and net.ipv4.tcp_max_syn_backlog. You must also reduce tcp_synack_retries to 2 or 3.

    Concerning haproxy, there is a feature named "tarpit" which can dramatically slow down the attack when you can identify it, which is your case. The principle consists in keeping the connection up and waiting before returning a 500 status. Since most attack tools only run one connection at a time, you will slow them down. We've already blocked a 20k connections attack using this method. This is better than rejecting the request because it reduces traffic and requests rate, thus protecting your upstream link and your firewalls.

    Here's what you must do for that :
    - download haproxy 1.3.19 (or even 1.4-dev1, it will save you some bandwidth)
    - set the frontend maxconn to a large value (40000 for 2 GB RAM)
    - set the global maxconn to slightly higher (eg: 40100)
    - define a "timeout tarpit" equal to the time you want to maintain an attacker connection up. 30s is already fine.
    - set the "maxconn" value on your "server" lines to reflect your apache's MaxClients (slightly lower so that haproxy does not use all apache slots).
    - create a tarpit backend like this :

    backend tarpit
    reqtarpit .

    - create ACLs in the frontend to switch to the tarpit :

    acl attack_url url_beg /rss/test.xml
    use_backend tarpit if attack_url

    Note that you will then be able to add as many attack_url entries as you want, and you will be able to combine them with other criteria (source IP, headers, user-agent, ...).

    Keep in mind that as long as your link is not saturated, it is possible to do something.

    Hoping this helps,
    Willy

  20. #20
    SitePoint Member
    Join Date
    Nov 2007
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Willy,

    Thanks for the wonderful tip. Will work on this to see any good luck it can bring?

    Regarding HA Proxy, is it a hardware??

    Sam

  21. #21
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by phpfreek View Post
    Regarding HA Proxy, is it a hardware??
    http://haproxy.1wt.eu/


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •