[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] how to stop dos attacks

Subject: Re: [cobalt-users] how to stop dos attacks
From: "Rick Ewart" <cobalt@xxxxxxxxx>
Date: Tue May 28 09:56:58 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Paul wrote:
> Check out http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
on
> how one can stop dos attacks for the most part..
> I also had my upstream install a custom ACL on the port(s) going to my
boxes.

Hey Paul.

Well, as a recent victim of DOS attacks, I became quite experienced with
them... I had a situation where I got hit about a dozen times over the
course of a three weeks. I gave the page above a quick read and I was
actually doing everything they recommend on my RaQ4. In the data center, the
only machines that appeared to be having these problems was the cobalts.

It appears that the RaQs just weren't that hard to take out, as compared to
more robust systems. The first time it happened, I was sitting in front of
my PC doing stuff and all of a sudden the machine was just gone. A reboot
fixed the problem, but I was freaked out about what could have possibly
caused the crash. I spend a lot of time going through the logs and such and
couldn't find anything. The RaQ appeared to be functioning fine - active
monitor and all. It was as if someone had just snipped the patch cable
connecting the box to the Net. After the second or third I started to wise
up, although I never did find any concrete evidence of what was doing it.

I played with a few scripts that watched for incoming SYNs and firewalled
the IPs for a while. While the concept was good and it worked once or twice,
it was functionally useless against a DDOS. One thing I did learn though was
that they were taking out my box in under 5 seconds. Yup - 5 seconds. I know
this as this was the delay I had running to find the "bad guys".

I ended up getting a full colo space and putting in a hardware firewall that
cost more than the stupid RaQ. Of course I now have a robust setup that
allows me to manage the whole thing through the second NIC (via a VPN), have
room for expansion, and better access/control over my stuff, but it seemed
the only way to solve my problem.

After I moved into my colo, behind my firewall, I logged a series of packets
that were definately malicious - I think maybe they were the cause... It was
a packet being sent to port 110 (POP3), with a source of 0.0.0.0 and a
spoofed MAC address (isn't registered in the MAC databases). I was surprised
that my data center would allow such a source address into the data center
in the first place, unless it came from inside.

Anyhow, I figured I would share my story as I had all the stuff they list
and it really didn't help me at all.

FYI - if we had the ability to use IPtables, SYN Flood attacks would be a
mute issue, for the most part as they apparently provide protection against
them. That is probably why the other machines in the data center didn't get
hit - they all probably have the newer kernels.

Take care.
Rick

Follow-Ups:
- Re: [cobalt-users] how to stop dos attacks
  - From: Paul Jacobs

Prev by Date: [cobalt-users] RaQ3 freezing and rebooting
Next by Date: Re: [cobalt-users] RAQ4r Restore Disk
Previous by thread: [cobalt-users] how to stop dos attacks
Next by thread: Re: [cobalt-users] how to stop dos attacks

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index