Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2005
    Posts
    2,175

    * Urgent HELP: possible attack??

    I've noticed that this a certain IP opened over 100 HTTP constant connections to the server. It seems that he/she is crawling every page of the forum, been going on for almost half an hour.

    I tried banning that IP through APF but the connections from the same IP keep coming in. Why is that?

    I typed:

    apf -d ipaddress
    apf -r
    apf -f

    I even restarted Iptables but to no avail.

  2. #2
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    check netstat -na | grep :80 | grep SYN
    if you see many SYN connect try this scripts http://www.lemuria.org/Software/iptables.html

    don't forgot disable apf (above scripts set simple, but effective firewall rules for blocking syn flood attack)
    Last edited by rustelekom; 07-31-2005 at 11:24 PM.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  3. #3
    Join Date
    Jan 2005
    Posts
    2,175
    It doesn't appear to be a sync attach. I noticed many urls of the page on forum in "Apache Status" it's trying to open many connections to crawl my forums on server. I already have iptables installed.

    But why isn't that IP being blocked, it's so odd.

  4. #4
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    try block not as 12.12.12.12 (this address showed as example only), but 12.12.0.0/16 (block by B class network address). sometimes this may help.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •