 quetwoThat VoIP GuyPremium
join:2004-09-04
East Lansing, MI | should have seen it coming... I guess the network admins or security folks didn't go to DefCon where they showed everybody how to do this really simple DOS attack. Pretty much it boils down to one linux machine can take down one web server, regardless of bandwidth. |
|
 knightmbEverybody Lies
join:2003-12-01
Franklin, TN | Yeah, it's slowtris and it's real easy to guard against. Limit your TCP connections to something less than 2.5 hours (usual default) to something a little better like 300 seconds.
Slowtris works on the principal that web servers are "nice" and will keep you connections open for you, except it just sends data at around 1 bps so that the web server keeps it open, then it just opens another connection and then another, eventually just filling up all 65535 connections.
Another easy way to prevent this, don't allow unlimited connection sessions from a single IP 
--
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data |
|
|
|
patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | said by knightmb:Another easy way to prevent this, don't allow unlimited connection sessions from a single IP What about ISPs in countries that weren't well endowed with IPs where the major ISPs all NAT 1000s or 10000s of users behind 1 IP? what about AOL users behind the AOL proxy? |
|
knightmbEverybody Lies
join:2003-12-01
Franklin, TN | said by patcat88:said by knightmb:Another easy way to prevent this, don't allow unlimited connection sessions from a single IP What about ISPs in countries that weren't well endowed with IPs where the major ISPs all NAT 1000s or 10000s of users behind 1 IP? what about AOL users behind the AOL proxy? Tough love I'm afraid. The key word is no "unlimited" sessions, even allowing 1,000 would allow all of these people to use it and still keep your web server from drowning in slow connections.
The worst that would happen is people from that ISP would be unable to connect, at least then the firewall logs would reveal where the attack is coming from.
--
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data |
|
Reviews:
 ·Comcast
| reply to quetwo
Funny part is Facebook got hit with the same attack but thanks to the akamai network survived with little to no slow downs.
Seems some admins don't know how to limit connections to 60 seconds and only allow 4 connections per ip 
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" |
|
Reviews:
 ·Verizon FiOS
·Charter
·AT&T U-Verse
 ·DSL EXTREME
| reply to quetwo
said by quetwo:I guess the network admins or security folks didn't go to DefCon where they showed everybody how to do this really simple DOS attack. Pretty much it boils down to one linux machine can take down one web server, regardless of bandwidth. If the machines IP or IPs get firewalled (or all their subnets which you can get from their AS number) then no one machine isn't going to take down a web-server for every long until they get firewalled. If they are spoofing IPs then you just:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Problem solved...
--
100mb/100mb OCN fiber connection for $50/month. YAY! |
|
