[Owasp-cincinnati] Attack Recovery

John Askew jaskew at sdgsecure.com
Wed Jun 24 23:48:36 EDT 2009

Hi Ed,

Terry and Marco already gave some good suggestions, so I'll just add a few things. I would agree that a flat IP blacklist is probably not the best option here, although the best solution will depend on the details of the situation, and will probably involve multiple layers. At the network level, a combination of traditional IPS blacklisting and reputation-based filtering might be able to filter out a significant bit of the noise, depending on the client's current network hardware and where the traffic is coming from. If these hits are adversely affecting an application's performance or availability, then you might consider a caching reverse proxy to offload some of the weight from the application server. If web application vulnerabilities are a concern, then a WAF like mod_security with a well-constructed whitelist (see mod_profiler) may be able to provide some assurance.

Also, if you are interested in assistance, feel free to contact me. I represent a local company that specializes in network and application security services for southern Ohio and KY.


John Askew
Senior Security Analyst
Systems Design Group, Inc.
From: owasp-cincinnati-bounces at lists.owasp.org [owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Terry Miesse [tmiesse at cinci.rr.com]
Sent: Wednesday, June 24, 2009 10:54 PM
To: Marco M. Morana
Cc: OWASP Cincinnati
Subject: Re: [Owasp-cincinnati] Attack Recovery

Longtime lurker, first-time poster.  Howdy.
1) IMO, No.  The source IP's could be spoofed (depending on the nature
of the actual attack) and you'd find yourself blocking IP's who may be
legitimate customers... when you eventually have customers, anyways.
Blocking IP's is a very coarse and unreliable defense.

2) Silly question, but... Is it causing a DoS condition for you, or just
an annoyance?  You didn't really say anything about what sort of
capacity they have.  3M hits per day on my little P3 web server would be
an issue.  3M hits/day on a 4-way Opteron fed by a pair of DS3's...
feh...  Still, 3M hits is a lot - you've ended up on somebody's target
list for some reason.  You may want to ask your hosting provider if
they're getting similar reports from other customers (you may have an IP
address near a machine that was compromised, so they're looking for
machines "nearby" to also target).  You may also want to make sure that
none of those attacks have succeeded in finding any holes.  If they
don't have customers yet, hopefully they do have a real app up and not
just a "You've installed Apache" page.  Lots of questions, but it would
be good to better understand the problem before delving into solutions.

3) Of course.  Unfortunately I don't know anybody locally that
specializes in such matters - hopefully somebody on the list does.  If
you'd settle for somebody with a day job to bat ideas around with...
well, here's my email address. :-)

Also, to Marco's suggestions... Are you seeing attacks at the network
layer as well?  How much control do you have over the infrastructure -
is this a virtual server at a hosting provider somewhere, or do you
control everything from the ISP connection back?  More control gives you
more options.


Marco M. Morana wrote:
> Ed
> can you explain better what you mean for:  "they are all attacks usual
> smattering of language and framework probe urls" ..
> is this a bandwitdth attack like iFrame DDoS? I would think IP
> filtering of that amount of IPs is possible but is not the only
> defense of DDoS (*), you need to apply defense in depth at both
> network and application layer. At the network layer you can routing
> traffic to other servers, use DPI/packet dropping, set routers
> defenses like Ciso IOS, set Intrusion Prevention Systems defenses
> etc.  On the application it depends on what you can do with the web
> pages on the site, can you overload the web server with mutliple
> requests to visit web pages, do these have large images etc...
> Hope you have some DDoS security expert reply to this post, I am not,
> sorry...hope this is usueful
> Regards
> Marco
> (*)
> http://en.wikipedia.org/wiki/Denial-of-service_attack
>     ----- Original Message -----
>     *From:* Edward Sumerfield <mailto:esumerfd at bitbashers.org>
>     *To:* OWASP Cincinnati <mailto:owasp-cincinnati at lists.owasp.org>
>     *Sent:* Wednesday, June 24, 2009 8:49 AM
>     *Subject:* [Owasp-cincinnati] Attack Recovery
>     I have a customer that is being hit with over 3 millions requests
>     a day and they have no customers yet :-) They are all attacks with
>     the usual smattering of language and framework probe urls.
>     My initial response was to try to firewall block the requesting
>     IPs but there are 21,000 unique source IPs driving the attack.
>     So,
>     1) Is it reasonable to block 21K IPs?
>     2) is there another solution that I should be looking for?
>     3) Is there a security consultant that we could hire to address
>     this issue?
>     Ed Sumerfield
>     Ed Sumerfield Consulting, LLC
>     http://www.edsumerfieldconsulting.com
>     513-295-7016
>     ------------------------------------------------------------------------
>     _______________________________________________
>     Owasp-cincinnati mailing list
>     Owasp-cincinnati at lists.owasp.org
>     https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
> ------------------------------------------------------------------------
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati

Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email

More information about the Owasp-cincinnati mailing list