Subject: Distributed denial of service attacks.
To: None <tech-security@netbsd.org>
From: Stephen M Jones <smj@cirr.com>
List: tech-security
Date: 09/07/2001 11:27:39
Over the past week I've noticed a couple of hosts with 15000-17000
bytes waiting in the Send-Q .. they were all attached to port 80, but
for the most part weren't showing up in my apache logs and weren't really
causing too much of a lag.  I wrote an ipf rule for them and the lag went
away.  This morning I found 300+ similar listings all attached to port
80 so I made a list and shutdown apache.  So, currently its for sure we're
under an attack.  Bringing down apache definately stops the flooding.  I've
been in situations like this before, but not under NetBSD.  Assuming that
most of these are spoofed IPs writing firewall rules aren't going to
help .. or are they?  Does anyone have any thoughts of how to combat 
DOS/DDOS attacks or even tracing these with NetBSD?  I did try writing
firewall rules for the IPs that I did get hoping that a few of them might
be actual sources .. no luck there.  

smj