Have you installed software such as fail2ban which will block the ip
address after n number of failed ssh logins for n number of seconds.
Depending on the purpose of the server it may block internet access for
the client, but I wouldn't worry about that for my network.
I have it installed on all my linux boxes and it blocks the routine ssh
attacks that are all too common these days.


Tom DeReggi wrote:
> We recently had a really nasty DOS attack that took down a large part
> of our network across several cell sites, from the infected client all
> the way to the Internet transit.
> Take note that we identified the problem quickly and cured it quickly.
> But.... This is the first time that this has occured in 5 years, as we
> have a good number of smart design characteristics that have limited
> the effects of most viruses on our network.  We stopped the attack, by
> blocking SSH to the infected sub.  The average amount of traffic
> crossing the entire network path from the client to the Internet was
> about 500 kbps on average.  (This was a  20 mbps wireless link, and a
> 100mbps fiber trnasport link to the transit.). The two routers were a
> P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3.  The damage was
> that the CPU was nailed on both routers to about 99.9% using "TOP" to
> monitor stats.  We varified that successful SSH sessions were not made
> directly to the protected routers themselves.   Take note that the
> wireless links were barely effected, it was the router 2 hops away
> (Dual XEON) that got over loaded the most.  Our routers have been
> tested to pass over 2 gbps of throughput easilly.  And have been load
> tested to survive very small packets and high PPS adequately. The
> infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir,
> but not anything for PPS.  So I'm looking for reasons that the CPU got
> overloaded.  My theory is that the DOS attack resulted in a large
> number of disk writes, ( maybe logging?) causing the CPU saturation. 
> I've had a hard time locating the cause. And have not discovered which
> virus yet, although I should have more info soon from my clients.
> So my question....
> What needs to be done on a Linux machine to harden it, to protect
> against CPU oversaturation, during DOS attacks?
> What should and shouldn't be logged? Connection Tracking? Firewall
> logging? Traffic stats?
> Tom DeReggi
> RapidDSL & Wireless, Inc
> IntAirNet- Fixed Wireless Broadband

WISPA Wireless List: wireless@wispa.org


Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to