Undergoing Denial of Service

Status
Not open for further replies.
D

DomainRealty

I'm a Coder
Mar 14, 2007
611
2
0
www.jrbcomputerservices.com
Here is a copy verbatim of a support ticket that I sent to ThePlanet after being in a 3-hour conversation with my support rep:

Master User - Sunday December 2nd, 2007; 1:45 AM CST
I have reason to believe that I am under a Denial of Service attack from the following IPs:

203.69.144.209
".".".146
".".".210

At the highest point, I had well over 200 connections from these IPs cumulative. I have attempted to block them through iptables and, at the suggestion of a telephone support rep, through apf. All of these did not work, and the script gave me to view the connections (/scripts/numberofips on my server) continued to show high volumes of connections from those same IPs. It has gotten to a point now where I have issued two reboot requests; each time, within 5 minutes of httpd initalizing, the server crashes.
Click to expand...
/script/numberofips is this:

[root@jrbcomputerservices scripts]# cat ./number*
netstat -atnp -A inet | grep ":80" | awk -F " " '{print $5} ' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr | head -9
[root@jrbcomputerservices scripts]# ./number*
8 203.69.144.210
8 203.69.144.209
7 203.69.144.146
2 62.129.129.174
2 61.213.157.172
1 88.198.51.8
1 61.213.158.94
1 61.213.158.183
1 58.18.179.154
Click to expand...
Where do I go from here? The server appears to be stable without httpd enabled, yet everything goes to shit soon after enabling httpd.

Jason
 


First, we point out that 203.69.144.209 is owned by RIPE. They are NOT attacking you, they are simply checking for IP usage.

Second, we point out that 200 connections is far from an attack. The only reason this would affect you is because you were too damn lazy to setup your apache config properly. If that was 200 connections per second then we are starting to get into the realms of an attack, but you would still be way off. A correctly configured dedicated server should be handling 1,000+ connections/sec without taking it in the can.
 
Whois record for 203.69.144.209

Looks to me like it's owned by "Chunghwa Telecom Data Communication Business Group". And if they were checking for IP usage...since when does that take 12 hours?

Have any suggestions as to how the httpd.conf file should be set up to withstand this?

Also, I have no way of determining the size or content of the connections. It is quite possible that one connection (a buffer overflow, perhaps) would can a server, so who is to say that this isn't a 3-IP "botnet" of buffer overflows that, cumulatively, kill the server?

I'm just throwing out random ideas now due to desperation.

Jason
 
Status
Not open for further replies.
Top Bottom