homepage Welcome to WebmasterWorld Guest from 50.19.206.49
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Defense against spoofing
Defense against DOS attack
hamids54




msg:4157344
 3:56 am on Jun 23, 2010 (gmt 0)

my server had been DOS attack.I reported some of suspected ip`s to their datacenters.
they say maybe attackers use IP address spoofing.my question is what I must do to prevent ip address spoofing.server manager says he has installed firewall , is it enough or
it needs any other actions?

 

lammert




msg:4157348
 4:12 am on Jun 23, 2010 (gmt 0)

Some type of attacks can be done with spoofed addresses, but others can't. In general, every type of DOS attack which needs communication back from the attacked server to the attacker to succeed cannot be spoofed.

If you are on Linux, and have enough knowledge of system administration, you could activate the built-in iptables firewall and block those IP addresses yourself. If the IP addresses change often this may not be a good approach because you continuously have to add new addresses to the lists.

In that case you need a more intelligent solution, either in an external firewall, in the internal server firewall or with scripts which read log files for suspicious activity and block IPs dynamically. For that solution to succeed you need to know the type of attack vector used in the attack (SYN flood, large Ping packets, continuous request of one HTTP page etc) and tune the firewall or scripts for that specific attack type.

hamids54




msg:4157357
 4:39 am on Jun 23, 2010 (gmt 0)

yes it is linux.I don`t know anything about managing.I am webmaster.

at present there is no attack on my server.fortunately server manager defended them and installed firewall and 3 other softwares to prevent future attacks.I created this topic for getting more informations defending IP address spoofing. 14 ips from 13 datacenters suspicious to take part attack...does it shows that ip`s has been changed and
blocking is not usefull?

lammert




msg:4157368
 5:20 am on Jun 23, 2010 (gmt 0)

If the server manager already installed a firewall and some other defense software, there is not much else you can do than wait and see if these are enough to protect you against new attacks.

Normally attacks with IP spoofing use random IP addresses. Most of the active IP addresses are used by surfers not by data centers. With all IPs resolving to data centers, it seems unlikely to me that they were randomly assigned spoofed IPs. I would rather suspect that these are hacked servers, or maybe these servers are anonymous proxy servers.

In both cases (hacked servers or anonymous proxies) I would block these IPs if they were attacking my server. No need to grant them access to your server and the changes that they are used by legitimate visitors of your site is not so large.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved