[nsp-sec] Small DoS attack towards 193.227.124.3, 80/TCP
Florian Weimer
fweimer at bfk.de
Mon Oct 5 07:38:40 EDT 2009
Hi,
the attack to 193.227.124.3, port 80/TCP, began around
2009-10-04T05:30 (all the timestamps are GMT/UTC+0000) and started to
recede around 2009-10-04T16:30. Some requests which appear to be
related are still trickling in.
This was a very low-bandwidth attack, and the TCP three-way handshake
was completed, so no blind source address spoofing was involved. The
attack apparently took all Apache connection slots, and it exploited
the keepalive handling, not kernel TCP state leaks. (I know how to
work around that, but I don't know if this is a good idea.)
Nevertheless, there were 63,043 IP addresses involved that made it to
the web server.
The attached file shows the timestamp of the last observed hit for
each IP address we consider a participant to the attack. These hosts
sent "GET / HTTP/1.1" requests, with a generic "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)" user agent. This web
server is generally very low-traffic, but to avoid false positives, I
removed all hosts which sent any other request to the server (e.g.,
for images, or a request with a Referer: header), but some chance of
false positives remains.
Florian
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 193227124003-20091004.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091005/0fa02104/attachment-0001.txt>
More information about the nsp-security
mailing list