What kind of firewall do you have for your Hobbit? The firewall rules on my router detect these kinds of script kiddie attacks...<br><br><div><span class="gmail_quote">On 1/25/08, <b class="gmail_sendername">Charles Jones</b> <<a href="mailto:jonescr@cisco.com">jonescr@cisco.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I had a hobbit-monitored site become the victim of a DDOS syn-flood<br>attack. To help detect this in the futrue and also aid<br>information-gathering, I did the following, which I am sharing:<br><br>1. Made the following additions to hobbit-clients.cfg<br>
# Detect more than 100 half-open connections (possible syn-flood attack)<br> PORT STATE=SYN_RECV MIN=0 MAX=100 COLOR=red TRACK="SYN"<br> # Detect more than 2000 established connections (possible simple DDOS<br>
http get attack)<br> PORT STATE=ESTABLISHED MIN=0 MAX=2000 COLOR=red<br><br>2. Made a small modification to hobbit-linux.sh, specifically to the<br>[ports] section. I crammed it all into a single line.<br> echo "[ports]"<br>
echo "SYN_REC Quick Stats:";SYNs=`netstat -pant 2>/dev/null | grep SYN<br>| awk -F: '{print $2;}' |awk {'print $2"\t"$1'}| sort | uniq -c |sort<br>-n`;if [ -n "$SYNs" ]; then echo " # Address Port";printf<br>
"$SYNs\n";echo =============================;else echo "No SYNs<br>Found";echo =============================;fi<br> # Bug in RedHat's netstat spews annoying error messages.<br> netstat -ant 2>/dev/null<br>
<br>#1 allows Hobbit to detect and alert for 2 common DDOS attack signatures<br>(syn floods and plain old http overloading), as well as creating graphs<br>via the "track" feature.<br><br>#2 prefixes the netstat output you see in the "ports" column with a<br>
table of IPs that have half-open connections. It shows the address, IP,<br>and what port they are "attacking". Here is an example (IPs and ports<br>masked of course):<br><br>SYN_REC Quick Stats:<br> # Address Port<br>
1 289.122.3.20 80<br> 1 <a href="http://213.102.135.60">213.102.135.60</a> 80<br> 1 <a href="http://200.120.152.6">200.120.152.6</a> 8080<br> 1 <a href="http://201.192.9.130">201.192.9.130</a> 443<br>
1 <a href="http://174.231.84.4">174.231.84.4</a> 443<br> 2 <a href="http://191.136.92.135">191.136.92.135</a> 80<br> 2 <a href="http://216.122.32.240">216.122.32.240</a> 8080<br>=============================<br>
<br>The prefixing of this data in the client message has no effect on the<br>Hobbit server, as it is only looking for the netstat output in the ports<br>section, and so ignores that extra data (but still displays it). So if<br>
the site gets a syn flood, you can check the ports column of your web<br>host(s) and easily see the offending IP(s) that are performing the<br>attack. Note that most "floodbots" are coded such that they spoof their<br>
IP addresses, so the information you gather may not actually help you<br>determine who is attacking, but is still useful for temporarily<br>firewalling or whatever other steps you need to take to block it.<br><br>Note: this works on RHEL, so should work on RedHat/CentOS/Fedora. I<br>
havn't checked to see if debian/ubuntu has the same netstat parameters I<br>used, so YMMV :)<br><br>-Charles<br><br>To unsubscribe from the hobbit list, send an e-mail to<br><a href="mailto:hobbit-unsubscribe@hswn.dk">hobbit-unsubscribe@hswn.dk</a><br>
<br><br></blockquote></div><br><br clear="all"><br>-- <br>Josh Luthman<br>Office: 937-552-2340<br>Direct: 937-552-2343<br>1100 Wayne St<br>Suite 1337<br>Troy, OH 45373<br><br>Those who don't understand UNIX are condemned to reinvent it, poorly.<br>
--- Henry Spencer