OK, that's cool and actually good to know, but that's not actually the direct result (nor the real intent) of such an attack.
Actually, the more I think about it, the more I'm leaning toward that being actually what happened with the OP. That makes more sense than the OP's explanation (or evidence). |
Quote:
Quote:
Quote:
|
Quote:
|
Quote:
Im not sure what to look into, but here it is. Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 11M 2387M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5225 295K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset 124 9850 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 13011 741K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 99.248.145.194 0.0.0.0/0 0 0 DROP tcp -- * * 99.248.145.194 0.0.0.0/0 334 17400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 3 148 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 1240K 65M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 91 4684 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 9 516 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 56 3128 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 2413 119K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 2893 145K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 2 128 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:106 2 128 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 2 128 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9008 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9080 25318 1984K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 9145 2172K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 21 1040 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 99 4788 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 233K 11M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 224 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 82 4990 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0 117K 15M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 12M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3154 546K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 13011 741K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 245K 16M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 |
sorry for the double post..but just got another reply from tech suppport
Quote:
|
Okay, I managed to do the test via Wi-Fi. The test via Ethernet is pending (I don't have physical access yet and haven't found a cable). Keep in mind that I conducted this test with a link quality of only 62%, so I expect the victim (with full logging enabled) to receive a much bigger hammering on Ethernet.
Before the start of the attack (without any logging enabled): Code:
win32sux@toystore:~$ sudo iptables -nvL INPUT Code:
win32sux@toystore:~$ sudo iptables -nvL INPUT Code:
win32sux@toystore:~$ sudo iptables -nvL INPUT Code:
win32sux@toystore:~$ sudo iptables -nvL INPUT NOTES: The victim had a screensaver running during these tests. My TCP SYN queue on the victim box is set to 256, so when it's at 256 it's at denial-of-service (TCP SYN cookies weren't enabled during these tests). The service I attacked was SSH (22/TCP). Quote:
|
WOW! You went from less than a megabyte to 18-19mb within 3 minutes.
Excellent demonstration...I don't know if it can be explained any better than that. |
quite a big difference in the attack with the logs enabled though. 2.17 compared to 0.00.
So theres definately an increase. Maybe it was one of my mod_rewrites that was causing a loop. I forgot to mention..my site that was being attacked was a vBulletin forum (latest version) with vbSEO installed. |
Quote:
I think the answer from tech support explains the attack perfectly. In fact, yesterday while I was watching an IT humor video on YouTube I found a bunch of videos of kids running DoS scripts against various forum software. I'm sure a lot of that forum software is badly written and it's not too difficult to figure out which operations are expensive and will cause the server to do a lot of work for a relatively inexpensive request from a malicious client. |
you seem pretty cool and know your stuff.
Is there a popular free site / program out there that can do a Load Test and Security Scan on my site ? I just tried a free trial of Alertsite and canceled immediately before even getting the scan results. They automatically charge you after 30 day free trial...even if no credit card is on file. Stay away.. |
I usually use Nessus for quick & dirty security audits. If you run it against your own site, go ahead and use the "dangerous" tests (the ones that might crash the server) for maximum discovery. The results aren't perfect, because it only tests for well-known attacks, and they aren't always accurate because a lot of them simply compare version strings. Most OS vendors back-port security patches to earlier versions of software, so even if you have version 3.4.5 and the security fix didn't appear until 3.6.0, a lot of times your version will have the patch if you've been running updates. On the other hand, 3rd party forum software probably doesn't get updated with your OS, so that you would have to monitor manually and upgrade to new versions as they're released.
Using software written by amateurs is risky for this reason, and there's no fool-proof way to audit it. Large corporations spend tens to hundreds of thousands of dollars on outside auditors to pen-test their systems with targeted and many times home-grown attacks. There's no way you can get that level of assurance without spending that kind of money, so you're left with automated tools that are far less than perfect. |
Quote:
Nessus 3.2.1.1 is what came with the free download yesterday. How could there even be a 3.6.0? Do I have to purchase for that version or something? The only 2 scan policies I see available on the Nessus Client are "Default Scan Policy" and "Microsoft Patches" the "dangerous" tests sound interesting..how could I get? |
Quote:
|
But how do I get the "Dangerous" tests ?
|
I'd like to point out in a friendly way that this forum is called Linux Security, ergo talk of purchasing certain software, mentioning mcrsft vst installs, questions about "mcrsft ptchs" and anything mcrsft basically is not suited for this forum. If this thread no longer has a link to Linux Security, may I suggest creating a new thread in /General?
|
All times are GMT -5. The time now is 07:45 AM. |