[Olug-list] Denial of Service attacks

[Remco B. Brink]

Heisann,

lately my machine has been under a couple of nasty DoS attacks, spiking
my traffic into places they shouldn't technically be able to get. Since
the attacks sometimes manage to take down my puny little P2/233 server,
I am ofcourse very interested in stopping them.

There's a couple of ways I'm being shut down:

1. I'm seeing an insane amount of referrers hitting certains domains
running on my webserver. One one of my domains the referrer log looks
like this:

1 - 127482 - 43.97% - http://www.blackgirls.ws/
2 -  79367 - 27.37% - http://www.8thstreetlatinas.info/
3 -  25394 -  8.76% - http://www.black-women.org/
etc. etc.

2. I'm being hit quite nastily with synfloods. My iptables firewall does
its best to drop and throttle when possible, but I can imagine my Linux
box still having some problems handling the spikes.


All attacks are distributed, so blackholing a single IP or IP-range is
not really working that well. 

We've already tweaked Apache quite a bit, which did help the server
survive a bit but aparently not enough. We've tried mod_throttle, but
that only results in the server closing itself up when we're being hit
really bad (usually between 00:00 and 03:00).

Is there a way we can throttle connections more efficiently and not have
Apache bring down the server?

regards,
Remco

ps. Feel free to reply in Norwegian, I have no problems at all reading
    it but my written Norwegian is a bit below par to give the above
    explanation.

-- 
       Remco B. Brink -- IS Developer / CDTT -- Opera Software ASA
   Personal site at http://rc6.org - PGP key at http://rc6.org/rbb.pgp