Msg#: 4157342 posted 3:56 am on Jun 23, 2010 (gmt 0)
my server had been DOS attack.I reported some of suspected ip`s to their datacenters. they say maybe attackers use IP address spoofing.my question is what I must do to prevent ip address spoofing.server manager says he has installed firewall , is it enough or it needs any other actions?
Msg#: 4157342 posted 4:12 am on Jun 23, 2010 (gmt 0)
Some type of attacks can be done with spoofed addresses, but others can't. In general, every type of DOS attack which needs communication back from the attacked server to the attacker to succeed cannot be spoofed.
If you are on Linux, and have enough knowledge of system administration, you could activate the built-in iptables firewall and block those IP addresses yourself. If the IP addresses change often this may not be a good approach because you continuously have to add new addresses to the lists.
In that case you need a more intelligent solution, either in an external firewall, in the internal server firewall or with scripts which read log files for suspicious activity and block IPs dynamically. For that solution to succeed you need to know the type of attack vector used in the attack (SYN flood, large Ping packets, continuous request of one HTTP page etc) and tune the firewall or scripts for that specific attack type.
Msg#: 4157342 posted 4:39 am on Jun 23, 2010 (gmt 0)
yes it is linux.I don`t know anything about managing.I am webmaster.
at present there is no attack on my server.fortunately server manager defended them and installed firewall and 3 other softwares to prevent future attacks.I created this topic for getting more informations defending IP address spoofing. 14 ips from 13 datacenters suspicious to take part attack...does it shows that ip`s has been changed and blocking is not usefull?
Msg#: 4157342 posted 5:20 am on Jun 23, 2010 (gmt 0)
If the server manager already installed a firewall and some other defense software, there is not much else you can do than wait and see if these are enough to protect you against new attacks.
Normally attacks with IP spoofing use random IP addresses. Most of the active IP addresses are used by surfers not by data centers. With all IPs resolving to data centers, it seems unlikely to me that they were randomly assigned spoofed IPs. I would rather suspect that these are hacked servers, or maybe these servers are anonymous proxy servers.
In both cases (hacked servers or anonymous proxies) I would block these IPs if they were attacking my server. No need to grant them access to your server and the changes that they are used by legitimate visitors of your site is not so large.