A real DDoS attack defensive combat

First round of attack:

Time: 15 o'clock in the afternoon about 30

The company's Web server was suddenly found inaccessible, trying to telnet, unable to connect, and calling IDC to reboot the server. Log in immediately after startup and discover that the attack continues, and that all 230 Apache processes are in working condition. Because the server is older, memory only 512m, so the system began with swap, the system into a standstill state. So kill all httpd, later the server back to normal, load from 140 back to normal.

Start grasping the packet, found that the flow is very small, it seems that the attack has stopped, try to start httpd, the system is normal. See httpd log, found from corners IP in the attempt to login.php, but it gave the wrong URL, where there is no login.php, other log basic normal, in addition to limit RST .... And so on, because the number of connections in the attack is very large, it is normal to appear this log.

Watch for 10 minutes and the attack stops.

Second round of attack:

Time: 17:50 P.M.

With the previous attack experience, I began to observe the state of the Web server, just 17:50, the machine load increased sharply, basically can be determined, another round of attack began.

First stopped the httpd, because has been unable to move, cannot. Then grab the bag, tcpdump-c 10000-i em0-n DST port >/root/pkts found a large number of datagram influx, filtered IP in it, no very centralized IP, and then suspected of being DDoS next based on the last suspicious address filtered from the log, Compare the results of this grab bag and find a lot of duplicate records.

Analysis:

This is not a simple DDoS, because all httpd processes are started, and leave the log, and according to the capture record, each address has a full three handshake, and then determined that all the source of the attack is real, not false IP.

There are 265 of these suspicious IP, mostly foreign, mostly European, especially Spain. The company's customers in Europe is rare, only Shing.

Measures taken to:

All 265 IP, all joined the firewall, all filtered IPFW add to deny TCP from% to me 80, restart httpd.

After 3 hours of observation, the datagram for all ACLs in the IPFW list continues to grow, but the company's Web server is working properly.

At this point, the attack is temporarily concluded, not ruled out later, but because the attackers are using real chickens, and more than 300 chickens are rare, so basically he can not be able to restart the attack in the short term.