Well for the folks that say block the IP address, I dont think that will work. If I understand the problem, a popular webserver (attacker) has placed links to pages in hidden iframes on the DOS target (target) machine. So when I hit the attacker machine, his web page just makes my browser get files off the target machine, and hence the DOS, so the IP address the request comes from will be that of the CLIENT, not the server that is technically the attacking machine. They are using thier own visitors to DOS the target machine from a variety of IP address as a result. most things you can do to combat it would probably still take the hit to the server which I guess is your problem. suggestions depend on what the actual DOS problem is, connections to the websever? bandwith over use? some thing else, database hits on your server ? Maybe you could: 0. CALL THE GUY'S ISP, notify them at abuse@, admin@, security@ postmaster@ or any other public mail address they show. it has to be against thier terms of use. do this no matter what, consider calling the police or fbi, dos attacks are illegal. and tell this guy you are going to do that as well. 1. put a redirect to a huge file on his server in place of the file he is linking to so he would reattack himself in place of the file he is linking too if possible. it would also make his site seem slow to the client. 2. make a text file instead that explains why the website they are on is being such a weasel or some other negative thing and hope someone views source. put dirty words in it so maybe content filtering proxys screw him up. 3. block traffic based on referrer. but like i said that will still take a hit on your webserver since you can't know who referred till the packet is decoded and using the iframes trick might screw up the referrer, but it is worth a look. http://www.cpan.org/modules/by-module/Apache/Apache-RefererBlock-0.03.readme says it will do it, but again, depending on what resouce of yours he is using up, it might not help. 4. get a stateful firewall that can look inside the tcp/ip packets and grep for his ip address since it will be in the packet payload someplace. 5. make a javascript page that pops up a window and says bad things about this whole situation 6. require some pages to have certain referrers, if it is inside pages you can check the referrer and maybe make sure it came from another page on your website. http://www.leekillough.com/robots.html might help you there after a re read, some of the above don't make sense since he might be pulling in the actual pages of target website so you cant just replace them i guess. hope for the referrer thing. ----- Original Message ----- From: "Hunt, Jim" <Jim.Huntat_private> To: <Incidentsat_private> Sent: Sunday, October 27, 2002 11:59 PM Subject: DOS ATTACK > I have a friend that has a DOS Attack going on against their website. It is being done by someone with a very popular website trying to squash a little guy. He is doing it be placing 1 pixel by 1 pixel inline frames in his webpages and having them load my friends webpage. It is killing his server and bandwidth. > > What can we do to block? The Server is W2K with IIS. > > Thanks! > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 21:44:28 PST