----- Original Message -----
From: Tom DeReggi
To: WISPA General List
Sent: Sat, 06 Jan 2007 17:26:39 -0900
[WISPA] SSH DOS Killing Linux

> We recently had a really nasty DOS attack that took down a large part of our
> network across several cell sites, from the infected client all the way to 
> the Internet transit.
> Take note that we identified the problem quickly and cured it quickly. 
> But.... This is the first time that this has occured in 5 years, as we have 
> a good number of smart design characteristics that have limited the effects 
> of most viruses on our network.  We stopped the attack, by blocking SSH to 
> the infected sub.  The average amount of traffic crossing the entire network
> path from the client to the Internet was about 500 kbps on average.  (This 
> was a  20 mbps wireless link, and a 100mbps fiber trnasport link to the 
> transit.). The two routers were a P4 2Ghz, and a Dual XEON 2.2Ghz w/ 
> 10,000rpm SCSI3.  The damage was that the CPU was nailed on both routers to 
> about 99.9% using "TOP" to monitor stats.  We varified that successful SSH 
> sessions were not made directly to the protected routers themselves.   Take 
> note that the wireless links were barely effected, it was the router 2 hops 
> away (Dual XEON) that got over loaded the most.  Our routers have been 
> tested to pass over 2 gbps of throughput easilly.  And have been load tested
> to survive very small packets and high PPS adequately. The infected sub was 
> bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for 
> PPS.  So I'm looking for reasons that the CPU got overloaded.  My theory is 
> that the DOS attack resulted in a large number of disk writes, ( maybe 
> logging?) causing the CPU saturation.  I've had a hard time locating the 
> cause. And have not discovered which virus yet, although I should have more 
> info soon from my clients.
> So my question....
> What needs to be done on a Linux machine to harden it, to protect against 
> CPU oversaturation, during DOS attacks?
> What should and shouldn't be logged? Connection Tracking? Firewall logging? 
> Traffic stats?
> Tom DeReggi
> RapidDSL & Wireless, Inc
> IntAirNet- Fixed Wireless Broadband 

Hi Tom,

What OS/application was running on these boxes? 


Alaska Wireless Systems
1(907)240-2183 Cell
1(907)349-2226 Fax
1(907)349-4308 Office

WISPA Wireless List: wireless@wispa.org


Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to