[Olug-list] Denial of Service attacks
Remco B. Brink
remco@rc6.org
Mon, 11 Aug 2003 15:54:23 +0200
Heisann,
lately my machine has been under a couple of nasty DoS attacks, spiking
my traffic into places they shouldn't technically be able to get. Since
the attacks sometimes manage to take down my puny little P2/233 server,
I am ofcourse very interested in stopping them.
There's a couple of ways I'm being shut down:
1. I'm seeing an insane amount of referrers hitting certains domains
running on my webserver. One one of my domains the referrer log looks
like this:
1 - 127482 - 43.97% - http://www.blackgirls.ws/
2 - 79367 - 27.37% - http://www.8thstreetlatinas.info/
3 - 25394 - 8.76% - http://www.black-women.org/
etc. etc.
2. I'm being hit quite nastily with synfloods. My iptables firewall does
its best to drop and throttle when possible, but I can imagine my Linux
box still having some problems handling the spikes.
All attacks are distributed, so blackholing a single IP or IP-range is
not really working that well.
We've already tweaked Apache quite a bit, which did help the server
survive a bit but aparently not enough. We've tried mod_throttle, but
that only results in the server closing itself up when we're being hit
really bad (usually between 00:00 and 03:00).
Is there a way we can throttle connections more efficiently and not have
Apache bring down the server?
regards,
Remco
ps. Feel free to reply in Norwegian, I have no problems at all reading
it but my written Norwegian is a bit below par to give the above
explanation.
--
Remco B. Brink -- IS Developer / CDTT -- Opera Software ASA
Personal site at http://rc6.org - PGP key at http://rc6.org/rbb.pgp