LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-07-2012, 06:35 AM   #1
packets
Member
 
Registered: Oct 2005
Posts: 280

Rep: Reputation: 30
http dos attack


I have a running apache server and I notice that the load of the server is quite HIGH. I just discovered that there are lots of GET query on the access log. It seems there are 5-10 get every seconds and this came from different ip address. I tried to put iptables and put the ff:

Code:
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
This work but the access on the apache also slows down.

Any suggestions on this brute force attack?
 
Old 03-07-2012, 07:44 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
It looks like from your iptables entries you are using two methods: connection rate limit and syn packet limits. You really should try to find evidence of the exact mechanism being applied so that you can tailor your solution. Based on the idea that these are full fledged GET requests, you might want to consider adding mod_evasive. See the following for a little more information: http://www.zdziarski.com/blog/?page_id=442
 
Old 03-07-2012, 07:46 AM   #3
packets
Member
 
Registered: Oct 2005
Posts: 280

Original Poster
Rep: Reputation: 30
@Noway2

After researching, I bump to mod_evasive and will install it later.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent DNS DoS attack vikas027 Linux - Software 5 05-31-2010 11:39 PM
DoS attack? port 22 templeton Linux - Security 1 11-11-2008 03:48 PM
is this a Dos Attack?? xtremeclones Linux - Security 8 09-27-2006 01:40 AM
detecting a DOS attack ignus Linux - Security 4 07-29-2004 02:17 PM
Are we under DOS attack? sarmadys Linux - Security 2 02-06-2002 09:41 PM


All times are GMT -5. The time now is 01:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration