From: Volker Tanger (vtlists@wyae.de)
Date: Sat Jan 21 2006 - 15:18:57 EST
Greetings!
On Fri, 20 Jan 2006 16:01:30 -0200
Jorge Alfredo Garcia <frederix@gmail.com> wrote:
> I have two dedicated servers, both hosted by the same provider and
> both on the same segmnet.
> I am under a denial of services attack but idont know exactaly how to
> stop it. Here is a piece of my netstat output:
>
> tcp 0 1 XX.XX.XX.AA:47561 XX.XX.XX.BB:80
> SYN_SENT
>
> Ok, XX.XX.XX.AA is the server i am in now.
> XX.XX.XX.BB is mine two and here are the connections:
>
> tcp 0 0 XX.XX.XX.BB:80 XX.XX.XX.AA:50749
> SYN_RECV
So you are seeing thousands of HTTP requests going from server AA to BB.
If you are not seeing any SynAc or data traffic, your server AA has an
open/listening socket, but does not answer, thus BB is re-trying hard.
Some protocols (e.g. XML-RPC) are using http-like connections (via
tcp/80), so you might see your very own back-office application running
wild, trying to connect to an HTTP-based application on AA.
So maybe you might want to stop server BB and then look into re-starting
AA to give AA a change for clean startup before putting a load onto it.
Bye
Volker
-- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists@wyae.de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT