Subject: Re: Distributed denial of service attacks.
To: Stephen M Jones <smj@cirr.com>
From: Chris Jones <chris@cjones.org>
List: tech-security
Date: 09/07/2001 16:11:35
--RyOXVFQXzAE23HDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 07, 2001 at 05:04:51PM -0500, Stephen M Jones wrote:

> I've been running tcpdump without any webserver running just listening
> to connections.  I admit, it is difficult with a popular site to see what
> are legit and what aren' but while running apache there are no logs showi=
ng
> what files are being accessed (the only logged connections seem to be
> legitimate ones).  The IP addresses I've logged (currently 1,293 unique I=
Ps)
> do not show up in the apache log files..=20

If your apache was compiled with -g, you could also use netstat to
find a connection with a big send-Q, then fstat to find the PID of the
corresponding apache process, then gdb to attach to that PID.  Once
you're there, you should be able to find out what URL was requested,
or what apache's state is.  It'd involve digging into apache source at
least a little bit, though...

> From the tcpdump which ran about 45 minutes, I was able to determine "top"
> requests sources:

Be careful about assuming these are "bad guys."  Many large ISPs have
web proxies, and this may be what you're seeing here.  Use ipw to see
who owns the busy IPs.

Chris

--=20
---------------------------------------------------- chris@cjones.org
Chris Jones                                          Mad scientist at large
  www.netbsd.org www.postgresql.org www.schemers.org www.python.org

--RyOXVFQXzAE23HDB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjuZRhcACgkQDPY2T8RzaD+SpQCfTglWds5Xbf2iUbMXQuuYN6jI
CUIAnAutf0z5Lw6m/pcYvDNXVYzO3jOV
=QDii
-----END PGP SIGNATURE-----

--RyOXVFQXzAE23HDB--