Page 2 of 2

Re: Brute Force SYN Attach – Thousands Of Request A Second

Posted: Sat Jul 18, 2009 2:12 am
by Php Freek
Hi,

Tried all the rules for IP tables. :banghead: Not working buddy.

Anything to check from hacking point of view or any virus or malware scanning?

Just few more directions to think off. As all these things we have and we are trying. ANY Suggestion on this???

Sam

Re: Brute Force SYN Attach – Thousands Of Request A Second

Posted: Mon Jul 20, 2009 12:26 am
by Php Freek
Hi,

Anyone has idea regarding the Firewall which drops request at entry point for specific URL request? Currently we have tried are IP and pattern based only to slow down the attack, however, they are being smarter and keep generating new bunch of IP address.

Sam

Re: Brute Force SYN Attach – Thousands Of Request A Second

Posted: Mon Jul 20, 2009 2:35 am
by VladSun
Php Freek wrote:Hi,

Anyone has idea regarding the Firewall which drops request at entry point for specific URL request? Currently we have tried are IP and pattern based only to slow down the attack, however, they are being smarter and keep generating new bunch of IP address.

Sam
VladSun wrote:

Code: Select all

iptables -N WWW
iptables -A INPUT -p tcp --dport 80 -j WWW
iptables -A WWW -p tcp -m recent --name WWWDDOS --update --seconds 3600 -j DROP
iptables -A WWW -p tcp -m string --string "attackedfilename.xml" -m recent --name WWWDDOS --set -j DROP
That will drop for at least 1 hour *ANY* port 80 TCP/IP packets coming from users who have requested "attackedfilename.xml" in their previous requests.
After that, they should keep port 80 TCP/IP "silence" for one hour in order to have any access to port 80 on this server.
Did you try this one?


Php Freek wrote:Tried all the rules for IP tables. :banghead: Not working buddy.
What does "Not working" mean? I've tried it and it works.

Re: Brute Force SYN Attach – Thousands Of Request A Second

Posted: Wed Jul 22, 2009 2:50 am
by Php Freek
Hi all,

Scanned the server with rootkit antispyware, no infection found. Regarding the firewall, put on BFD firewall over APF, still requests are not getting down.

Also IP table is getting full of new ips and it is keeping network and site slow. Please advice for next steps to improve the performace.

Sam

Re: Brute Force SYN Attach – Thousands Of Request A Second

Posted: Wed Jul 22, 2009 3:47 am
by VladSun
Did you try my FW suggestion?

What do you mean by using "IP table"? What is "getting full"?
Take a look at
http://www.cromwell-intl.com/security/s ... ening.html

Re: Brute Force SYN Attach – Thousands Of Request A Second

Posted: Sat Jul 25, 2009 3:31 am
by kaisellgren
This isn't the right place to talk about this. Strike up a conversation at http://www.webhostingtalk.com and I'm sure you will get a lot more help. Alternatively you could try http://serverfault.com/. Good luck, you gonna need it.