Re: DOS ATTACK

[Blake Girardot <girardot () mac com>]

Well for the folks that say block the IP address, I dont think that will
work.

If I understand the problem, a popular webserver (attacker) has placed links
to pages in hidden iframes on the DOS target (target) machine.

So when I hit the attacker machine, his web page just makes my browser get
files off the target machine, and hence the DOS, so the IP address the
request comes from will be that of the CLIENT, not the server that is
technically the attacking machine.

They are using thier own visitors to DOS the target machine from a variety
of IP address as a result.

most things you can do to combat it would probably still take the hit to the
server which I guess is your problem. suggestions depend on what the actual
DOS problem is, connections to the websever? bandwith over use? some thing
else, database hits on your server ?

Maybe you could:

0. CALL THE GUY'S ISP, notify them at abuse@, admin@, security@ postmaster@
or any other public mail address they show. it has to be against thier terms
of use. do this no matter what, consider calling the police or fbi, dos
attacks are illegal. and tell this guy you are going to do that as well.

1. put a redirect to a huge file on his server in place of the file he is
linking to so he would reattack himself in place of the file he is linking
too if possible. it would also make his site seem slow to the client.

2. make a text file instead that explains why the website they are on is
being such a weasel or some other negative thing and hope someone views
source. put dirty words in it so maybe content filtering proxys screw him
up.

3. block traffic based on referrer. but like i said that will still take a
hit on your webserver since you can't know who referred till the packet is
decoded and using the iframes trick might screw up the referrer, but it is
worth a look.
http://www.cpan.org/modules/by-module/Apache/Apache-RefererBlock-0.03.readme
says it will do it, but again, depending on what resouce of yours he is
using up, it might not help.

4. get a stateful firewall that can look inside the tcp/ip packets and grep
for his ip address since it will be in the packet payload someplace.

5. make a javascript page that pops up a window and says bad things about
this whole situation

6. require some pages to have certain referrers, if it is inside pages you
can check the referrer and maybe make sure it came from another page on your
website.
http://www.leekillough.com/robots.html might help you there

after a re read, some of the above don't make sense since he might be
pulling in the actual pages of target website so you cant just replace them
i guess. hope for the referrer thing.


----- Original Message -----
From: "Hunt, Jim" <Jim.Hunt () nwsc k12 in us>
To: <Incidents () securityfocus com>
Sent: Sunday, October 27, 2002 11:59 PM
Subject: DOS ATTACK


> I have a friend that has a DOS Attack going on against their website.  It
is being done by someone with a very popular website trying to squash a
little guy.  He is doing it be placing 1 pixel by 1 pixel inline frames in
his webpages and having them load my friends webpage.  It is killing his
server and bandwidth.
> What can we do to block?  The Server is W2K with IIS.
>
> Thanks!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com