[hobbit] Hobbit DDOS Attack Detection (submission)
Henrik Stoerner
henrik at hswn.dk
Mon Jan 28 16:23:39 CET 2008
On Fri, Jan 25, 2008 at 01:59:08PM -0700, Charles Jones wrote:
> I had a hobbit-monitored site become the victim of a DDOS syn-flood attack.
> To help detect this in the futrue and also aid information-gathering, I
> did the following [...]
Quite off-topic, but since this was on a Linux system you might want to
look into enabling syn-cookies on these servers.
sysctl net.ipv4.tcp_syncookies=1
somewhere in a startup script will do that. It has no impact on the
system unless the SYN connection queue fills up.
There's a thread discussing this on the Red Hat mailing list:
http://www.redhat.com/archives/rhl-devel-list/2005-January/msg00447.html
but the discussion is generic to Linux in all versions.
Alan Cox (one of the main Linux kernel developers) also kills
some of the myths about this setting in
http://www.redhat.com/archives/rhl-devel-list/2005-January/msg00483.html
It won't help on the simple connection flooding (2000 active connections
to your webserver), but there are other ways of stopping that - e.g.
with Linux' built-in firewall (iptables):
http://www.debian-administration.org/articles/187
The example is for fending off SSH brute-force attacks, but the same
mechanism can be used for protecting webservers - although you will
probably want to raise the limits from the 3 connections/second that the
example allows.
Regards,
Henrik
More information about the Xymon
mailing list