[Owasp-cincinnati] Attack Recovery

Terry Miesse tmiesse at cinci.rr.com
Wed Jun 24 22:54:14 EDT 2009


Ed,
Longtime lurker, first-time poster.  Howdy.
:
1) IMO, No.  The source IP's could be spoofed (depending on the nature 
of the actual attack) and you'd find yourself blocking IP's who may be 
legitimate customers... when you eventually have customers, anyways.  
Blocking IP's is a very coarse and unreliable defense.

2) Silly question, but... Is it causing a DoS condition for you, or just 
an annoyance?  You didn't really say anything about what sort of 
capacity they have.  3M hits per day on my little P3 web server would be 
an issue.  3M hits/day on a 4-way Opteron fed by a pair of DS3's... 
feh...  Still, 3M hits is a lot - you've ended up on somebody's target 
list for some reason.  You may want to ask your hosting provider if 
they're getting similar reports from other customers (you may have an IP 
address near a machine that was compromised, so they're looking for 
machines "nearby" to also target).  You may also want to make sure that 
none of those attacks have succeeded in finding any holes.  If they 
don't have customers yet, hopefully they do have a real app up and not 
just a "You've installed Apache" page.  Lots of questions, but it would 
be good to better understand the problem before delving into solutions.

3) Of course.  Unfortunately I don't know anybody locally that 
specializes in such matters - hopefully somebody on the list does.  If 
you'd settle for somebody with a day job to bat ideas around with... 
well, here's my email address. :-)

Also, to Marco's suggestions... Are you seeing attacks at the network 
layer as well?  How much control do you have over the infrastructure - 
is this a virtual server at a hosting provider somewhere, or do you 
control everything from the ISP connection back?  More control gives you 
more options.

Terry

Marco M. Morana wrote:
> Ed
>  
> can you explain better what you mean for:  "they are all attacks usual 
> smattering of language and framework probe urls" ..
>  
> is this a bandwitdth attack like iFrame DDoS? I would think IP 
> filtering of that amount of IPs is possible but is not the only 
> defense of DDoS (*), you need to apply defense in depth at both 
> network and application layer. At the network layer you can routing 
> traffic to other servers, use DPI/packet dropping, set routers 
> defenses like Ciso IOS, set Intrusion Prevention Systems defenses 
> etc.  On the application it depends on what you can do with the web 
> pages on the site, can you overload the web server with mutliple 
> requests to visit web pages, do these have large images etc...
>  
> Hope you have some DDoS security expert reply to this post, I am not, 
> sorry...hope this is usueful
>  
> Regards
>  
> Marco
>  
> (*)
> http://en.wikipedia.org/wiki/Denial-of-service_attack
>
>  
>
>     ----- Original Message -----
>     *From:* Edward Sumerfield <mailto:esumerfd at bitbashers.org>
>     *To:* OWASP Cincinnati <mailto:owasp-cincinnati at lists.owasp.org>
>     *Sent:* Wednesday, June 24, 2009 8:49 AM
>     *Subject:* [Owasp-cincinnati] Attack Recovery
>
>     I have a customer that is being hit with over 3 millions requests
>     a day and they have no customers yet :-) They are all attacks with
>     the usual smattering of language and framework probe urls.
>
>     My initial response was to try to firewall block the requesting
>     IPs but there are 21,000 unique source IPs driving the attack.
>
>     So,
>
>     1) Is it reasonable to block 21K IPs?
>
>     2) is there another solution that I should be looking for?
>
>     3) Is there a security consultant that we could hire to address
>     this issue?
>
>     Ed Sumerfield
>     Ed Sumerfield Consulting, LLC
>     http://www.edsumerfieldconsulting.com
>     513-295-7016
>
>
>
>     ------------------------------------------------------------------------
>     _______________________________________________
>     Owasp-cincinnati mailing list
>     Owasp-cincinnati at lists.owasp.org
>     https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
>   



More information about the Owasp-cincinnati mailing list