Just got DoSed

[Mucman]

We have a /20 and had someone phone us threatening to DoS us because of some sort of conflict this person
had with one of our websites. Not sure if it was a coincidence but the next day (last night) we got DoSed big time.

It turned out it was a SYN attack going to port 80 on all of our webservers. The from IP's appeared to be forged, because
our first action was to block the IP address. After about 20 minutes another attack would happen from another IP.

Unfortunately this was one of those things that was preventable. Hopefully someone will learn from my mistakes here
and follow the advice here

This DoS does not create a lot of bandwidth. Webserver requests will show 500 errors, and the server itself will not
look like it is busy. Nothing will go in the Event Log, but a netsat will show all the hung TCP connections.

 

[Smilin]

Don't screw around. Grab you logs and head over to the FBI. The internet wouldn't exist without hackers but hackers like that are BS. Don't give him time to do it again. Even if they don't prosecute him they'll take his computer while they look it over.

 

[spidey07]

So basically your server was full of half-open sockets?

 

[Mucman]

spidey07 - Yup.

smilin - No FBI in Canada 🙂. We're going to try and discuss this with our upstream providers to see if the traffic is traceable. When I ran a packet sniffer all I could see were thousands of packets with no data destined to our webserver from some IP that is located in Germany. I emailed the abuse
address listed in the 'whois' but have not received a response yet.

This addresses the half open sockets :

According to the RFC TCP must wait 4 minutes before reusing a connection, this ties up resources. Microsoft recommends a web server under load set this value to 1 minute. This can be done via the registery.

There was also an ICMP attack going on as well, but our access-lists blocked that one.

 

[n0cmonkey]

The FBI wouldn't touch this anyhow.

 

[Mucman]

Originally posted by: n0cmonkey
The FBI wouldn't touch this anyhow.

True... again, like I said, it was preventable if I was on top of things 🙁

 

[chsh1ca]

Mucman, a stateful firewall can rather easily defeat a SYNflood DoS simply by limiting the number of inbound SYN packets per minute from a given IP. It also would ease administration (it's one less thing you have to do any time you reload/bring up a system). If you have a firewall, it should be pretty easy to configure.

 

[Mucman]

Originally posted by: chsh1ca
Mucman, a stateful firewall can rather easily defeat a SYNflood DoS simply by limiting the number of inbound SYN packets per minute from a given IP. It also would ease administration (it's one less thing you have to do any time you reload/bring up a system). If you have a firewall, it should be pretty easy to configure.

Yes, a stateful firewall would be the perfect solution, but not something we can implement easily. Our network looks like
the following :

OC-3 -> Cisco 7200 VXR -> Cisco 2948G -> webservers

We have a Cisco 3600 with the Cisco firewall IOS doing NAT for the office computers and the internal
network, the 7200 has a massive access-list which blocks almost all ports coming into our public network.

 

[Garion]

Originally posted by: Mucman

Originally posted by: chsh1ca
Mucman, a stateful firewall can rather easily defeat a SYNflood DoS simply by limiting the number of inbound SYN packets per minute from a given IP. It also would ease administration (it's one less thing you have to do any time you reload/bring up a system). If you have a firewall, it should be pretty easy to configure.

Yes, a stateful firewall would be the perfect solution, but not something we can implement easily. Our network looks like
the following :

OC-3 -> Cisco 7200 VXR -> Cisco 2948G -> webservers

We have a Cisco 3600 with the Cisco firewall IOS doing NAT for the office computers and the internal
network, the 7200 has a massive access-list which blocks almost all ports coming into our public network.

Actually, putting in a stateful firewall would be pretty simple. Connect it between your 7200 and the 2948 and you're good to go. Only one cactch - You're looking at pretty big bucks. You need something like a PIX 525 with GigE ports. Not cheap!

Edit: While you're on the subject of security, go out and pick up a cheap PC to run Snort on. Even if you can't afford a full-on firewall, a good IDS will be of some assistance to you, and a good thing to have, in any case.

- G

 

[spidey07]

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

So no firewall? Time to get moving. You could slap one in during a maintenance window.

but then again according to chsh1ca's previous comments one doesn't need a firewall and should depend on good systems administration. 🙂

Garion - the 525s are very cheap, even in a failover scenario.

 

[Mucman]

Garion, it would not be that simple. We provide Internet access to ~20 companys in our building. We cannot firewall them or else they will freak! One company already threatened to sue us because we blocked 1434 temporarily during the Slammer worm... The kicker is, that when we turned off that restriction their stuff was still broken because the ISP of the SQL Server they were trying to connect to were doing the same thing (It's actually a funny, and long story though 🙂). I proposed running Snort a long time ago to my boss but he didn't buy into it. Sadly we are understaffed and don't have a real sysadmin. Technically that is my role, but try being a sysadmin when you have a 3 month programming project to do!!! Ugh...

spidey07, you've already given me flack regarding the firewall (recall a post going way back when we were hit by NIMDA). We deny all packets going below port 1024 except for those that are required (21, 80, 443, 25). It's not like our servers are wide open. Our access-list is hundreds of lines though. We are getting to the point where we will be implicitly denying any packets that don't get matched with an allow rule. You have to admit that 10x better than no firewall. Again, I must point out that we are understaffed, and the admin (me) is stuck programming all day.

Blah... I should try not thinking about work when I am at home. I promised myself that I wouldn't worry about it when I should be enjoying some time off 😀.

Thanks for the tips though... I really do appreciate it 😀

 

[Garion]

Originally posted by: spidey07
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

So no firewall? Time to get moving. You could slap one in during a maintenance window.

but then again according to chsh1ca's previous comments one doesn't need a firewall and should depend on good systems administration. 🙂

Garion - the 525s are very cheap, even in a failover scenario.

Oh, yes - The 525 is an excellent box, and a great value. We've got literally hundreds of them at my company, and I've been involved designing a lot of the networks that use them.. Cisco did us a good thing with their low-cost failover box option. After all, a PIX is just a standard PC in a cool case with a few extra hardware mods. Very cheap to manufacturer. Software is their "secret sauce".

Price is, however, always relative. What's small change for you and I (figure about $25-30K for a pair of loaded 525's) will be a very different story for a small ISP or colo.

- G

 

[Bleep]

Software is their "secret sauce".

True that!

Bleep

 

[ziplux]

Originally posted by: Mucman
One company already threatened to sue us because we blocked 1434 temporarily during the Slammer worm...

Shouldn't that kind of stuff be running over a VPN anyway?

 

[Mucman]

Originally posted by: ziplux

Originally posted by: Mucman
One company already threatened to sue us because we blocked 1434 temporarily during the Slammer worm...

Shouldn't that kind of stuff be running over a VPN anyway?

No because we don't firewall our customers. The attacks had nothing to do with our own SQL Servers because ours
our not connected to a public network... our customers have their own block of IP addresses. We do not configure
their networks... they could have setup a VPN if they so desired.

 

[chsh1ca]

Originally posted by: spidey07

but then again according to chsh1ca's previous comments one doesn't need a firewall and should depend on good systems administration. 🙂

Ahh, the clever misquote I see.

Well, on that note, according to you then, systems administration is useless. 🙂

 

[spidey07]

Well, on that note, according to you then, systems administration is useless.

😉

I was wondering when you'd catch that comment. 🙂

I've actually DoS'd a few internal servers accidentally. Mistype an access control list to block outbound traffic of a server and inbound is fine...clients continually open sockets until the server is full.

DOH!

 

[chsh1ca]

Just so long as we're clear on where we stand on things. 😀

Gotta love typos. A couple weeks back, I natted some internal traffic to a printer instead of the server (printer's IP was .17, server's was .7).