If you see a lot of ? marks in there, chances are the server is being dossed.
Click here for an example of apache under dos attack
Use the command: netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
This will tell you how many httpd connections there are to the server.
This command may also be useful: lsof -i :80
2 - Block any IP's that have 20 or more connections using:
route add -host
AND
apf -d
3 - Then:
edit /usr/local/apache/conf/httpd.conf
and change:
KeepAlive On TO KeepAlive Off
then:
/scripts/restartsrv httpd
===========================================
Another thing to try:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Put following in /etc/sysctl.conf
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
Then execute the command :-
# /sbin/sysctl -p
You can also execute the following commands to minimize the syn attack in the future :-
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
No comments:
Post a Comment