[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Is this some kind of Denial Of Service Attack
- Subject: RE: [cobalt-users] Is this some kind of Denial Of Service Attack
- From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
- Date: Tue Oct 22 07:55:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
<snip>
>
> From a root prompt:
> /sbin/route add -host 62.194.130.53 reject
> Would take care of that IP.
</snip>
Just as an add-on to Dan and Dave's messages, it may be worthwhile installing ipchains and using ipchains to block the IP address, because of several factors:
1) if i remember correctly, sendmail doesn't use tcpwrappers, so adding to /etc/hosts.deny won't actually block the atempts, though it will stop them ftp/pop3/imap or other services which are using tcpwrappers
2)Also the raq is still having to process part of the incoming connection to actually block it, so still capable of slowing the server down. This is true for the route and hosts.deny methods.
To install ipchains, its a case of doing:
rpm -Uvh ftp://ftp.rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3.9-5.i386.rpm
(As root via SSH that is)
Then to block an IP using ipchains:
/sbin/ipchains -I input -s 111.111.111.111 -j DENY
changing 111. etc to the source of the attacker (62.194.130.53 in this case)
This won't log the dropped packets, because that will generate a lot of unwanted logging, but if you wanted it enabled add a -l on the end of the /sbin/ipchains command.
Regards,
Andy
andy@xxxxxxxxxx
http://www.raqpak.com <-- Unofficial FAQs and PKGs