Brute Force SYN Attach – Thousands Of Request A Second

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Php Freek
Forum Newbie
Posts: 10
Joined: Sat Nov 03, 2007 12:06 am

Re: Brute Force SYN Attach – Thousands Of Request A Second

Post by Php Freek »

Hi,

Tried all the rules for IP tables. :banghead: Not working buddy.

Anything to check from hacking point of view or any virus or malware scanning?

Just few more directions to think off. As all these things we have and we are trying. ANY Suggestion on this???

Sam
Php Freek
Forum Newbie
Posts: 10
Joined: Sat Nov 03, 2007 12:06 am

Re: Brute Force SYN Attach – Thousands Of Request A Second

Post by Php Freek »

Hi,

Anyone has idea regarding the Firewall which drops request at entry point for specific URL request? Currently we have tried are IP and pattern based only to slow down the attack, however, they are being smarter and keep generating new bunch of IP address.

Sam
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Brute Force SYN Attach – Thousands Of Request A Second

Post by VladSun »

Php Freek wrote:Hi,

Anyone has idea regarding the Firewall which drops request at entry point for specific URL request? Currently we have tried are IP and pattern based only to slow down the attack, however, they are being smarter and keep generating new bunch of IP address.

Sam
VladSun wrote:

Code: Select all

iptables -N WWW
iptables -A INPUT -p tcp --dport 80 -j WWW
iptables -A WWW -p tcp -m recent --name WWWDDOS --update --seconds 3600 -j DROP
iptables -A WWW -p tcp -m string --string "attackedfilename.xml" -m recent --name WWWDDOS --set -j DROP
That will drop for at least 1 hour *ANY* port 80 TCP/IP packets coming from users who have requested "attackedfilename.xml" in their previous requests.
After that, they should keep port 80 TCP/IP "silence" for one hour in order to have any access to port 80 on this server.
Did you try this one?


Php Freek wrote:Tried all the rules for IP tables. :banghead: Not working buddy.
What does "Not working" mean? I've tried it and it works.
There are 10 types of people in this world, those who understand binary and those who don't
Php Freek
Forum Newbie
Posts: 10
Joined: Sat Nov 03, 2007 12:06 am

Re: Brute Force SYN Attach – Thousands Of Request A Second

Post by Php Freek »

Hi all,

Scanned the server with rootkit antispyware, no infection found. Regarding the firewall, put on BFD firewall over APF, still requests are not getting down.

Also IP table is getting full of new ips and it is keeping network and site slow. Please advice for next steps to improve the performace.

Sam
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Brute Force SYN Attach – Thousands Of Request A Second

Post by VladSun »

Did you try my FW suggestion?

What do you mean by using "IP table"? What is "getting full"?
Take a look at
http://www.cromwell-intl.com/security/s ... ening.html
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Brute Force SYN Attach – Thousands Of Request A Second

Post by kaisellgren »

This isn't the right place to talk about this. Strike up a conversation at http://www.webhostingtalk.com and I'm sure you will get a lot more help. Alternatively you could try http://serverfault.com/. Good luck, you gonna need it.
Post Reply