----- Original Message ----- From: Tom DeReggi [mailto:[EMAIL PROTECTED] To: WISPA General List [mailto:[EMAIL PROTECTED] Sent: Sat, 06 Jan 2007 17:26:39 -0900 Subject: [WISPA] SSH DOS Killing Linux
> We recently had a really nasty DOS attack that took down a large part of our > > network across several cell sites, from the infected client all the way to > the Internet transit. > Take note that we identified the problem quickly and cured it quickly. > But.... This is the first time that this has occured in 5 years, as we have > a good number of smart design characteristics that have limited the effects > of most viruses on our network. We stopped the attack, by blocking SSH to > the infected sub. The average amount of traffic crossing the entire network > > path from the client to the Internet was about 500 kbps on average. (This > was a 20 mbps wireless link, and a 100mbps fiber trnasport link to the > transit.). The two routers were a P4 2Ghz, and a Dual XEON 2.2Ghz w/ > 10,000rpm SCSI3. The damage was that the CPU was nailed on both routers to > about 99.9% using "TOP" to monitor stats. We varified that successful SSH > sessions were not made directly to the protected routers themselves. Take > note that the wireless links were barely effected, it was the router 2 hops > away (Dual XEON) that got over loaded the most. Our routers have been > tested to pass over 2 gbps of throughput easilly. And have been load tested > > to survive very small packets and high PPS adequately. The infected sub was > bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for > PPS. So I'm looking for reasons that the CPU got overloaded. My theory is > that the DOS attack resulted in a large number of disk writes, ( maybe > logging?) causing the CPU saturation. I've had a hard time locating the > cause. And have not discovered which virus yet, although I should have more > info soon from my clients. > > So my question.... > > What needs to be done on a Linux machine to harden it, to protect against > CPU oversaturation, during DOS attacks? > > What should and shouldn't be logged? Connection Tracking? Firewall logging? > Traffic stats? > > Tom DeReggi > RapidDSL & Wireless, Inc > IntAirNet- Fixed Wireless Broadband > Hi Tom, What OS/application was running on these boxes? -Dee Alaska Wireless Systems 1(907)240-2183 Cell 1(907)349-2226 Fax 1(907)349-4308 Office www.akwireless.net -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/