HPE Community
Operating System - HP-UX
1836579 Members
1794 Online
110102 Solutions
New Discussion

Deny of service attack

 
benoit Bruckert
Honored Contributor

‎11-18-2002 06:21 AM

‎11-18-2002 06:21 AM

Deny of service attack

Hi,
I have currently many requests on 2 of my http servers which are not valids.
I mean that these requests are asking unexistants pages on several sites. There are HEAD,GET POST and CONNECT requests from many ip addresses, and these requests are not for the same objects .
Of course , these requests are stopped on the server, but it spends some times to send back the "not found" page, and it's a load for the bandwith !!!!
I wonder if anyone have an idea, and what can I do against a Deny Of Service attack !!!!!
this attack is also oriented, because I have others sites in differents domains without these requests ???
Does any one already had this kind of things ?
And what can i do, because I can't stop all IPs on the firewall level ???
Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
5 REPLIES 5
Christopher Caldwell
Honored Contributor

‎11-18-2002 07:35 AM

‎11-18-2002 07:35 AM

Re: Deny of service attack

If you can locate the source via IP, you can filter (blackhole) that particular address space.

If your firewall supports IDS and active defenses, you should use your IDS to inject the blackhole route.

Most of the time, I tend not to worry about webserver probes on HP-UX boxen - the probes generally check for IIS vulnerabilities that just don't apply. The probes make for annoying log entries, but little else.
0 Kudos
Reply
Oleg Zieaev_1
Regular Advisor

‎11-18-2002 09:16 AM

‎11-18-2002 09:16 AM

Re: Deny of service attack

Had similar problem.
Resolved by relocating http to another not standard port. Most of the probes trys port 80 and if there is a response - attack this port trying to find cmd.exe on my Unix box. I assume this is what you have.
- Relocate you web server to another port. Dont forget to update your domain to point to new port.
Hope this helps.
-Oleg
Professionals will prevail ...
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎11-18-2002 09:22 AM

‎11-18-2002 09:22 AM

Re: Deny of service attack

Hi Christopher,
I don't worry about the impact on the server. The trouble is bandwih !
It's the same kind of attack as nimda, but this one is oriented (attack on few servers only) .
I can't stop IP because it's always a new one !!
Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎11-18-2002 09:26 AM

‎11-18-2002 09:26 AM

Re: Deny of service attack

Oleg
And it's not nimda or code red (cmd.exe) , it's something else !
The web server is public, I don't think you can change in the DNS the port you are using for http ? If it's possible how do you do ?
Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎11-18-2002 01:46 PM

‎11-18-2002 01:46 PM

Re: Deny of service attack

http://isc.incidents.org/

may be of some help. Their top 10 list gives a recommended list of IPs to block. These are the worst offenders.

Also:
http://staff.washington.edu/dittrich/misc/ddos/

http://www.cisco.com/warp/public/707/newsflash.html

You should talk to your ISP. They may be able to help you. Also over here the FBI is investigating DDOS attacks a lot more since 9/11 so it might not hurt to call your local equivalent of the FBI (Interpol?) or just the local police.

Ron
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.