On Sat, 6 Nov 2004, Mickey Everts wrote:
> Today I had an incident at work where an attacker used a PHP exploit to grab
> the following script and run it from one of our "real servers" (running as
> apache's permissions):
> http://www.packetstormsecurity.org/DoS/udp.pl
Ouch. Common, sadly, but ouch.
> This rather short script brought our LVS box, a 3 GHz Pentium 3 system with
> dual gigabit interfaces, to its knees. Note that it's actually connected to
> a 100megabit interface. Obviously we want to secure our real servers, but
> is there any way to stop this kind of thing from killing our LVS server so
> easily?
You could not only "harden" your systems, but also consider using the iptables
'limit' module and/or Linux QoS tools to limit arbitrary outbound traffic. If
you know that your webserver isn't going to initiate outbound connections, for
example, you can create policies to squash packet and bit rates from arbitrary
ports without breaking Apache's return traffic.
I've seen gigabit-connected servers (and 100 meg, too) bring entire Cisco
based networks to their knees in a matter of seconds simply by creating floods
of tens (or hundreds) of thousands of packets per second. Everything has a
limit as to how many packets it can shovel, and if you hit that limit then
things start to break.
In a nutshell, the short answer is no!
Graeme
|