WampServer
Apache, PHP, MySQL
on Windows
DOS attacks by japanese! banzai help!
Posted by:
jobrien2001
(---.230.251.206.speedy.net.pe)
Date: April 13, 2008 05:39AM
My windows server 2003 wamp server has been getting DOS attacks.
I see multiple connections from several different IPs from Japan using cmd netstat. Soon as I restart the apache service the connections resume until the apache service doesnt respond anymore.
How can I stop these samurais?
Here is part of the result:
TCP servidor:http 84.206.145.122.ap.yournet.ne.jp:2780 ESTABLISHED
TCP servidor:http 205.206.145.122.ap.yournet.ne.jp:1880 ESTABLISHED
TCP servidor:http 205.206.145.122.ap.yournet.ne.jp:3809 ESTABLISHED
TCP servidor:http 245.207.145.122.ap.yournet.ne.jp:1124 ESTABLISHED
TCP servidor:http 245.207.145.122.ap.yournet.ne.jp:1258 ESTABLISHED
TCP servidor:http 245.207.145.122.ap.yournet.ne.jp:3049 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1279 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1656 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1790 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1811 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2164 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2184 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2513 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2832 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2840 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3040 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3109 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3479 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3701 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3776 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3835 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:4871 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:4882 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:4887 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:1266 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:1765 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:2462 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:3782 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:1370 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:3350 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:4741 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:4842 SYN_RECEIVED
I see multiple connections from several different IPs from Japan using cmd netstat. Soon as I restart the apache service the connections resume until the apache service doesnt respond anymore.
How can I stop these samurais?
Here is part of the result:
TCP servidor:http 84.206.145.122.ap.yournet.ne.jp:2780 ESTABLISHED
TCP servidor:http 205.206.145.122.ap.yournet.ne.jp:1880 ESTABLISHED
TCP servidor:http 205.206.145.122.ap.yournet.ne.jp:3809 ESTABLISHED
TCP servidor:http 245.207.145.122.ap.yournet.ne.jp:1124 ESTABLISHED
TCP servidor:http 245.207.145.122.ap.yournet.ne.jp:1258 ESTABLISHED
TCP servidor:http 245.207.145.122.ap.yournet.ne.jp:3049 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1279 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1656 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1790 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:1811 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2164 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2184 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2513 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2832 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:2840 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3040 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3109 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3479 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3701 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3776 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:3835 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:4871 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:4882 ESTABLISHED
TCP servidor:http 230.212.145.122.ap.yournet.ne.jp:4887 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:1266 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:1765 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:2462 ESTABLISHED
TCP servidor:http 125.213.145.122.ap.yournet.ne.jp:3782 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:1370 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:3350 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:4741 ESTABLISHED
TCP servidor:http 210.213.145.122.ap.yournet.ne.jp:4842 SYN_RECEIVED
Re: DOS attacks by japanese! banzai help!
Posted by:
toivo
(---.nsw.bigpond.net.au)
Date: April 13, 2008 10:23AM
Hi,
Depending on the capabilities of your router-firewall, you may be able to do ingress filtering, meaning that the firewall will check if the packets are coming from the network they claim they originate from, in other words that the origin address in the packets is not spoofed. The document RFC 2667 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, issued in 1998 and available from [www.faqs.org], recommends that ISPs should be doing ingress filtering.
If the attacker is controlling an army of bots or zombies, the attacks could be coming from anywhere and blocking a subnet in .htaccess would not be very effective.
If the IP addresses in your sample are the actual addresses, the source of the DOS packets may not actually be Japan. For example 210.213.145.151 according to a 'whois' query on a Linux box is in the Philippines. Regarding 230.212.145.122, 'whois' says "This block is reserved for special purposes. Comment: Please see RFC 3171 for additional information." That address may actually be used for some sort of network control purposes.
The spoofed IP address could be the address of the actual targeted company or institution where the response packets are directed to go.
There is a module for Apache, mod_evasive, designed to protect Apache from DOS attacks. More information at [www.zdziarski.com] but I could not see a Windows version of it.
It looks as if your firewall would benefit from a good Intrusion Detection component.
Regards,
toivo
Sydney, Australia
Depending on the capabilities of your router-firewall, you may be able to do ingress filtering, meaning that the firewall will check if the packets are coming from the network they claim they originate from, in other words that the origin address in the packets is not spoofed. The document RFC 2667 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, issued in 1998 and available from [www.faqs.org], recommends that ISPs should be doing ingress filtering.
If the attacker is controlling an army of bots or zombies, the attacks could be coming from anywhere and blocking a subnet in .htaccess would not be very effective.
If the IP addresses in your sample are the actual addresses, the source of the DOS packets may not actually be Japan. For example 210.213.145.151 according to a 'whois' query on a Linux box is in the Philippines. Regarding 230.212.145.122, 'whois' says "This block is reserved for special purposes. Comment: Please see RFC 3171 for additional information." That address may actually be used for some sort of network control purposes.
The spoofed IP address could be the address of the actual targeted company or institution where the response packets are directed to go.
There is a module for Apache, mod_evasive, designed to protect Apache from DOS attacks. More information at [www.zdziarski.com] but I could not see a Windows version of it.
It looks as if your firewall would benefit from a good Intrusion Detection component.
Regards,
toivo
Sydney, Australia
Re: DOS attacks by japanese! banzai help!
Posted by:
jobrien2001
(---.230.85.150.speedy.net.pe)
Date: April 14, 2008 02:12AM
Thanks for the suggestions, I couldnt find mod evasive for windows but i did find mod_security2 which is basically the same thing, some argue that better.
Problem is connections are still flooding my server. Now they are coming from different IPs. I am not sure how to setup a filter on my router that would check for a match source/destination request.
Here is the menu perhaps someone can give me a hand with it...
Menu 21.11.1 - TCP/IP Filter Rule
Filter #: 11,1
Filter Type= TCP/IP Filter Rule
Active= No
IP Protocol= 0 IP Source Route= No
Destination: IP Addr=
IP Mask=
Port #=
Port # Comp= None
Source: IP Addr=
IP Mask=
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
If its not possible to filter attacks via my router could it be done by windows server 2003?
Edited 1 time(s). Last edit at 04/14/2008 03:17AM by jobrien2001.
Problem is connections are still flooding my server. Now they are coming from different IPs. I am not sure how to setup a filter on my router that would check for a match source/destination request.
Here is the menu perhaps someone can give me a hand with it...
Menu 21.11.1 - TCP/IP Filter Rule
Filter #: 11,1
Filter Type= TCP/IP Filter Rule
Active= No
IP Protocol= 0 IP Source Route= No
Destination: IP Addr=
IP Mask=
Port #=
Port # Comp= None
Source: IP Addr=
IP Mask=
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
If its not possible to filter attacks via my router could it be done by windows server 2003?
Edited 1 time(s). Last edit at 04/14/2008 03:17AM by jobrien2001.
Re: DOS attacks by japanese! banzai help!
Posted by:
toivo
(203.19.130.---)
Date: April 14, 2008 07:35AM
Hi,
Now we are getting into router support, in which you may be better off by getting a local networking and firewall specialist involved. Just a suggestion.
Regards,
toivo
Sydney, Australia
Now we are getting into router support, in which you may be better off by getting a local networking and firewall specialist involved. Just a suggestion.
Regards,
toivo
Sydney, Australia
Sorry, only registered users may post in this forum.
