Results 1 to 9 of 9
  1. #1

    New type of DOS?

    One of my servers receives a barrage of attacks from a single IP about once per day. (See excerpt from logs below). It seems that they are using http to hit the server and the server sends a "408" error code.


    vi /usr/local/apache/logs/access_log
    -----------------
    61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] "-" 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:32 -0400] "-" 408 -
    -----------------

    This causes hundreds of HTTP processes to be spurned and the server bogs down and the load average goes up.

    I know how to block this once I find it by doing a "null route". However, I dont even know what the hell this is? How is this ******* causing a "408" error? What is a 408 error?

    I've noticed a steady increase in this type of attack. If anyone has any info, please let me know. If I have more info, maybe I can defeat this loser.

  2. #2
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    The 408 Error code is a "Request Time Out. Generally, it occurs when too much time has passed since the initial TCP connection was formed.

    This is often associated with poorly written Health-check type bots. I have not heard of any DOS that use the 408 error specifically, but it could be.

  3. #3
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    I did some more searching, and this thread on insecure might be helpful to you:

    http://lists.insecure.org/incidents/2002/Feb/0006.html

  4. #4
    Thank you. The thread you provided "http://lists.insecure.org/incidents/2002/Feb/0006.html" was helpful. It seems a lot of us have identified this problem, yet cant figure out exactly what it is our how to defend against it.

    My box is a Linux box. The thread above hypothesises that the attack has something to do with the Code Red virus. I thought Code Red was Windows specific.

    If anyone finds any further info about this 408 type attack, please let me know.

  5. #5
    Join Date
    Oct 2002
    Posts
    122
    Code Red is Windows specific (IIS specific actually). What they're talking about is when a machine that is infected with Code Red or Nimda attempts to connect to your machine and there is a firewall that is blocking the packets with the Code Red/Nimda payload, but the TCP connection has already been formed to your machine and therefore just sits around waiting. Find out if there is a firewall somewhere, and if you don't have control of it, maybe you can request that instead of just dropping Code Red/Nimda packets, that the firewall also do a bit more in sending resets to your web server at least, so it will drop the TCP connection, and the firewall could also at least temporarily drop all packets from the offending IP, so that repeated attempts don't start new TCP connections to your machine.

  6. #6
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    The 408 error just means that a TCP connection was established with the apache server, but no request followed before the connection timed out.

    A usual SYN flood type DOS will not result in a TCP connection, because the client never ACKs the ACK that it gets back.

    That does look like a DOS, but I'm not sure what tool they would be using that just opens a whole bunch of TCP connections.

    I have been seeing similar results in log files, and have attributed it to codered/nimbda. However, the results usually show the client hitting the web server at the most once every few seconds, not 5-6 times a second.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  7. #7
    Join Date
    Dec 2001
    Location
    Miami, FL
    Posts
    15
    Hi,

    Try this instead if you have Apache.

    Here is the link
    http://www.networkdweebs.com/stuff/security.html

    Details:

    WHAT IS MOD_DOSEVASIVE ?

    mod_dosevasive is an evasive maneuvers module for Apache to provide evasive
    action in the event of an HTTP DoS attack. It is also designed to be a
    detection tool, and can be easily modified to talk to ipchains, firewalls,
    routers, and etcetera.

    Detection is performed by creating an internal dynamic hash table of IP
    Addresses and URIs, and denying any single IP address from any of the following:

    - Requesting a single page more than a few times per second
    - Making more than 50 concurrent requests on the same child per second
    - Making any requests while temporarily blacklisted (on a blocking list)

    This method has worked well in both single-server script attacks as well
    as distributed attacks, but just like other evasive tools, is only as
    useful to the point of bandwidth and processor consumption (e.g. the
    amount of bandwidth and processor required to receive/process/respond
    to invalid requests), which is why it's a good idea to integrate this
    with your firewalls and routers.

    This module instantiates for each listener individually, and therefore has
    a built-in cleanup mechanism and scaling capabilities. Because of this,
    legitimate requests are never compromised but only scripted attacks. Even
    a user repeatedly clicking on 'reload' should not be affected unless they do
    it maliciously.

    HOW IT WORKS

    A web hit request comes in. The following steps take place:

    - The IP address of the requestor is looked up on the temporary blacklist
    - The IP address of the requestor and the URI are both hashed into a "key".
    A lookup is performed in the listener's internal hash table to determine
    if the same host has requested this page more than once within the past
    1 second.
    - The IP address of the requestor is hashed into a "key".
    A lookup is performed in the listerner's internal hash table to determine
    if the same host has requested more than 50 objects within the past
    second (from the same child).

    If any of the above are true, a 403 response is sent. This conserves
    bandwidth and system resources in the event of a DoS attack.

    Once a single 403 incident occurs, mod_dosevasive now blocks the entire IP
    address for a period of 10 seconds (configurable). If the host requests a
    page within this period, it is forced to wait even longer. Since this is
    triggered from requesting the same URL multiple times per second, this
    again does not affect legitimate users.

    The blacklist can/should be expanded to talk to your network's firewalls and/or
    routers to push the attack out to the front lines, but this is not required.

    WHAT IS THIS TOOL USEFUL FOR?

    This tool is *excellent* at fending off small to medium-sized request-based
    DoS attacks or script attacks. Its features will prevent you from wasting
    bandwidth or having a few thousand CGI scripts running as a result of an attack.

    This tool is also excellent at detecting a web-based DoS attack, and can
    be modified to talk to your infrastructure.

    If you do not have an infrastructure capable of fending off any other types
    of DoS attacks, chances are this tool will only help you to the point of
    your total bandwidth or server capacity for sending 403's. Without a solid
    infrastructure and DoS evasion plan in place, a heavy distributed DoS will most
    likely still take you offline.


    -Frank
    Innovativecreations.com
    Unix based hosting.

  8. #8
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Originally posted by fmadison
    Hi,

    Try this instead if you have Apache.

    While this may be a useful tool, there really is no reason to cut and paste the same information into multiple threads.

  9. #9
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Especially since it's not relevant.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •