Edit httpd.conf and change the port it listens on, or add firewall
rule to block inbound port 80. check http log to id attacking ip's,
look for recurring cycle in ip address and add firewall rule to
block. Be sure your http logs are configured to rotate and not fill
all disk space then just ride it out.

If you use dynamic ip address, turn off you cable or dsl modem for 3
min and when you power back up hopefully you will be issued an new
ip address. This will stop attach if attack is targeted directly at
you ip address and not using dsn to find you.

I use zoneedit to redirect my domain name to different port than 80
and that stopped all http dos attacked based on directly targeted ip
address. In most cases the attacker has port scanned all ip address
in some large range looking for port 80 and when found he records ip
address to launch spoofed sending ip address attack directly at your
ip address. Zoneedit.com is free for up to 5 domain names.



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of meimi
Sent: Wednesday, April 21, 2004 8:22 PM
To: Tuc
Cc: [EMAIL PROTECTED]
Subject: Re: being DOSed

I have found some IPs are opening 10 HTTP connection. Their IPs are
changing
and all IPs are from different ISP network.
What should I do next?
Thanks
Meimi


----- Original Message -----
From: "Tuc" <[EMAIL PROTECTED]>
To: "meimi" <[EMAIL PROTECTED]>
Sent: Thursday, April 22, 2004 7:29 AM
Subject: Re: being DOSed


> >
> > Hello,
> >   The bandwidth usage for my server is tripled for 3 hours. When
I run
> > "top", I find many httpd process in sbwait status. So, I think
someone
is
> > DOSing my server.
> >   How can I check who is DOSing me? and how can I solve it?
> > Thanks
> > Meimi
>
> Quickly :
>
> netstat -an | sort | grep tcp4|more
>
> Look for an IP with alot of connections. (We have a script that
> actually will count this for us, but its not just for FreeBSD so
its
> long)
>
> Tuc/TTSG Internet Services, Inc.
>
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to