Dear Security team, I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the present, I decide to stop apache and leave only mail feature on functioning. Any guide/recommend/solution will be appreciated. More detail about my server: =====================FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 php.ini =====;;;;;;;;;;;;;;;;;;; ; Resource Limits ; ;;;;;;;;;;;;;;;;;;; max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing r memory_limit = 32M (at the beginning it is 8M, I change to 32MB since the cause of httpd-error.log, however, it still the error as the following showed on httpd-error.log FILE:/var/log/httpd-error.log ====================Allowed memory size of 33554432 bytes exhausted .... happend like this all over the log Thanks in Advanced, Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd.
Hi, I assume the DoS is coming from multiple machines all hitting you on port 80? If it's from a specific address or range of addresses you should use ipfw or pf to block it at a firewall level before it hits your machine. Is the DoS hitting one specific page or a whole bunch of different ones? Sadly there is very little you may be able to do but if you provide more information people on this list may be able to help you mitigate the threat slightly. Most importantly, you should also consider contacting your upstream providers so that they can take action. Cheers, Marc On Thu, Mar 6, 2008 at 12:58 PM, kamolpat@dmaccess.net < kamolpat@dmaccess.net> wrote:> Dear Security team, > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > present, I decide to stop apache and leave only mail feature on > functioning. Any guide/recommend/solution will be appreciated. > > More detail about my server: > =====================> FreeBSD 6.0 > apache-1.3.34_4 > php5-5.1.2_1 > MySQL 5.0.20 > > > php.ini > =====> ;;;;;;;;;;;;;;;;;;; > ; Resource Limits ; > ;;;;;;;;;;;;;;;;;;; > > max_execution_time = 30 ; Maximum execution time of each script, in > seconds > max_input_time = 60 ; Maximum amount of time each script may spend > parsing r > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > the cause of httpd-error.log, however, it still the error as the following > showed on httpd-error.log > > > FILE:/var/log/httpd-error.log > ====================> Allowed memory size of 33554432 bytes exhausted .... happend like this > all over the log > > Thanks in Advanced, > Kamolpat Pornatiwiwat, > Sys admin > DMaccess Co., Ltd. > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >-- Light up the Darkness. - Bob Marley
On 03/06/08 11:58, kamolpat@dmaccess.net wrote:> Dear Security team, > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > present, I decide to stop apache and leave only mail feature on > functioning. Any guide/recommend/solution will be appreciated. > > More detail about my server: > =====================> FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 > > > php.ini > =====> ;;;;;;;;;;;;;;;;;;; > ; Resource Limits ; > ;;;;;;;;;;;;;;;;;;; > > max_execution_time = 30 ; Maximum execution time of each script, in > seconds > max_input_time = 60 ; Maximum amount of time each script may spend > parsing r > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > the cause of httpd-error.log, however, it still the error as the > following showed on httpd-error.log > > > FILE:/var/log/httpd-error.log > ====================> Allowed memory size of 33554432 bytes exhausted .... happend like this > all over the log > > Thanks in Advanced, > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd.Kamolpat, without being a member of the secteam, I like to jump in here. ${subject} contains "DDoS" but I don't see any signs of a DDoS from what you're describing. Sure it might be a DoS attack but that needs carefully inspection of your log file (look for specially crafted URLs being requested). To me, exhausted memory situations are more likely looking like application problems (read as: bad code). With just that exhausted memory message given, it's guesswork to tell more but you may want to check PHP's bug database. BTW (not related to your problem), you might also want to consider migrating to Apache 2.x as support for Apache 1.3x will end soon, IIRC. Also FreeBSD 6.0 will be EOL'd in less then 3 months. If you still think it's DoS attack you're seeing, you should query upstream (either PHP or Apache folks) for help on that. Regards, Volker