I am currently under http attack from a guy, this guy sent http request from hunders of fake ip address, I created a script file automaticly blocked those fake ip address uisng iptables, now my quesiton is how to use iptalbes or whatever the software is to find out where those fake ip address are actually from
thanks in advance
Full Version: find out where fake ip addresses are actually from
Well that is where things really get sticky. The problem is if they are really spoofed, the only real way is to get alot of ISP's involved. The reason is a data packet at the IP layer will look like:
[Header] [Destination IP] [Source IP] [Options] [Data]
If the sender spoofs the Source IP, there is nothing else in the packet that will lead back to the requester. With that said, there is a clarification necessary. One of 2 things is occuring.
1. The sender is spoofing the Source address, which means this is really a syn flood. These are really difficult to track because the data never makes it back to the sender. These are easier to block however, with some firewall implementations.
2. The sender is proxying the requests through a bunch of proxy servers. In this case, to the web server this appears like a WHOLE BUNCH of clients all asking for the same thing. These are a bit harder to block, but because they are "full" connections, you know what proxies they are really passing through. The only work left in tracking them down is to contact the proxies and find out what IP is really making the requests.
I hope this is somewhat helpful to you. Hopefully someone else will have more input that might make this sound a little more promising.
[Header] [Destination IP] [Source IP] [Options] [Data]
If the sender spoofs the Source IP, there is nothing else in the packet that will lead back to the requester. With that said, there is a clarification necessary. One of 2 things is occuring.
1. The sender is spoofing the Source address, which means this is really a syn flood. These are really difficult to track because the data never makes it back to the sender. These are easier to block however, with some firewall implementations.
2. The sender is proxying the requests through a bunch of proxy servers. In this case, to the web server this appears like a WHOLE BUNCH of clients all asking for the same thing. These are a bit harder to block, but because they are "full" connections, you know what proxies they are really passing through. The only work left in tracking them down is to contact the proxies and find out what IP is really making the requests.
I hope this is somewhat helpful to you. Hopefully someone else will have more input that might make this sound a little more promising.
The previous poster pretty much said it all...
BUT...I'd be very wary about using using a script to automatically add the ip addresses of SPOOFED packets to ANY IP tables firewall.
Tools like nmap can generate thousands of spoofed connection requests per second.
In this case you could end up in some bad situations:
Your own ip gets spoofed, blocked and you can't access your own server anymore.
You block thousands of innocent ISP clients from accessing your system making the solution worse than the problem.
You add so many entries to iptables that your server slows to a crawl and iptables eats up so much memory your clients can't use your server (DOSing yourself!!)
If it is a SYN flood OCCURING FROM SPOOFED IP's simply turning on syn cookies is the safest defense. To do that:
Put following in /etc/sysctl.conf
this will enable it automatically on boots
#enable TCP SYN cookie protection
net.ipv4.tcp_syncookies=1
If the ip's ARE NOT SPOOFED then the firewall option is then a reasonable solution.
Also see this thread:
http://forum.ev1servers.net/showthread.php...&threadid=17363
BUT...I'd be very wary about using using a script to automatically add the ip addresses of SPOOFED packets to ANY IP tables firewall.
Tools like nmap can generate thousands of spoofed connection requests per second.
In this case you could end up in some bad situations:
Your own ip gets spoofed, blocked and you can't access your own server anymore.
You block thousands of innocent ISP clients from accessing your system making the solution worse than the problem.
You add so many entries to iptables that your server slows to a crawl and iptables eats up so much memory your clients can't use your server (DOSing yourself!!)
If it is a SYN flood OCCURING FROM SPOOFED IP's simply turning on syn cookies is the safest defense. To do that:
Put following in /etc/sysctl.conf
this will enable it automatically on boots
#enable TCP SYN cookie protection
net.ipv4.tcp_syncookies=1
If the ip's ARE NOT SPOOFED then the firewall option is then a reasonable solution.
Also see this thread:
http://forum.ev1servers.net/showthread.php...&threadid=17363
QUOTE
Originally posted by DanDanFireMan
Well that is where things really get sticky. The problem is if they are really spoofed, the only real way is to get alot of ISP's involved. The reason is a data packet at the IP layer will look like:
[Header] [Destination IP] [Source IP] [Options] [Data]
If the sender spoofs the Source IP, there is nothing else in the packet that will lead back to the requester. With that said, there is a clarification necessary. One of 2 things is occuring.
1. The sender is spoofing the Source address, which means this is really a syn flood. These are really difficult to track because the data never makes it back to the sender. These are easier to block however, with some firewall implementations.
2. The sender is proxying the requests through a bunch of proxy servers. In this case, to the web server this appears like a WHOLE BUNCH of clients all asking for the same thing. These are a bit harder to block, but because they are "full" connections, you know what proxies they are really passing through. The only work left in tracking them down is to contact the proxies and find out what IP is really making the requests.
I hope this is somewhat helpful to you. Hopefully someone else will have more input that might make this sound a little more promising.
Well that is where things really get sticky. The problem is if they are really spoofed, the only real way is to get alot of ISP's involved. The reason is a data packet at the IP layer will look like:
[Header] [Destination IP] [Source IP] [Options] [Data]
If the sender spoofs the Source IP, there is nothing else in the packet that will lead back to the requester. With that said, there is a clarification necessary. One of 2 things is occuring.
1. The sender is spoofing the Source address, which means this is really a syn flood. These are really difficult to track because the data never makes it back to the sender. These are easier to block however, with some firewall implementations.
2. The sender is proxying the requests through a bunch of proxy servers. In this case, to the web server this appears like a WHOLE BUNCH of clients all asking for the same thing. These are a bit harder to block, but because they are "full" connections, you know what proxies they are really passing through. The only work left in tracking them down is to contact the proxies and find out what IP is really making the requests.
I hope this is somewhat helpful to you. Hopefully someone else will have more input that might make this sound a little more promising.
Thanks for your very helpful information, I still got one more question:
if I got following logs 100 times/second from hunderedns different IP address in my log
61.144.83.138 - - [04/Feb/2004:06:21:17 -0600] "GET /index.htm HTTP/1.1" 200 89 "-" "Microsoft URL Control - 6.00.8169"
211.21.116.130 - - [04/Feb/2004:06:21:21 -0600] "GET /big5/ HTTP/1.0" 200 94 "-" "Microsoft URL Control - 6.00.8169"
Can I conclude that those IP address are either real or from some proxies server ? or It's possible that those IP address are spoofed ip addresses.
Thanks in advance
If you get anything in your apache logs its definately not a spoofed ip.
Its a DDoS attack.
I suggest you ban where the useragent is "microsoft url control"
MS url control is programming interface for visual basic, theres no legitimate reason this needs to be allowed.
211.21.116.130 is a proxy.
Its a DDoS attack.
I suggest you ban where the useragent is "microsoft url control"
MS url control is programming interface for visual basic, theres no legitimate reason this needs to be allowed.
211.21.116.130 is a proxy.
I have banned it alrady 
how did you find out that 211.21.116.130 is a proxy?
thanks
thanks
QUOTE
Originally posted by leegary888
how did you find out that 211.21.116.130 is a proxy?
thanks
how did you find out that 211.21.116.130 is a proxy?
thanks
port scan
windows nt4 with a buggy version webserver, probably a hacked machine.
other ip probably proxy as well just closed now
QUOTE
Originally posted by Eric
port scan
windows nt4 with a buggy version webserver, probably a hacked machine.
other ip probably proxy as well just closed now
port scan
windows nt4 with a buggy version webserver, probably a hacked machine.
other ip probably proxy as well just closed now
what software did you use for port scan, and how did you use that software? sorry for asking too many questions.
thank you very much
Don't know what Eric used, but nmap is a great scanning tool, available for both Windows and *nix. The latest version has a new version scanning module added to it so not only will it tell you what ports are open it will do its' best to figure out the exact service running on that port. Cool stuff.
http://www.insecure.org/nmap/
Site has lots of documentation on running and using nmap
.
http://www.insecure.org/nmap/
Site has lots of documentation on running and using nmap
.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.