Eskimo North


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Services Outage




     Various servers were down this morning as the result of denial of service
attacks.  I'm not quite sure what these people are doing but it seems to
involve UDP packets as only the servers that have UDP traffic allowed seem to
be vulnerable.

     These attacks started back when we upgraded the BBS to newer software that
prevented spammers from trashing the BBS; and it seems that every time we put
some new mechanism in place to reduce spam, we get another round.

     Recently, we've been hit usually 4am-5am in the morning from servers in
China.  I've been trying to catch one of these attacks live so I can log the
data and see exactly what they're doing.  This morning I stayed up and worked
on things until just before 6am and then went to bed, about an hour later the
DoS attacks started and succeeded in bringing down the web server, shell
server, and wedging a couple of mail servers.  The shell server rebooted and
recovered on it's own.

     I had turned the bell on the phone up before I went to bed so I thought I
would hear if someone called, but the battery that keeps it's settings
exhausted during the last power outage so it is not saving it's settings and I
didn't hear calls.

     Thanks to Joe Spitz for letting me know something was amiss.

     I am working on some things to resolve this; I have discovered there is a
vulnerability in the Linux kernel version we are using to a certain type of UDP
exploit; there was a patch but when I applied it it broke other things.  It is
theoretically fixed in a newer version but that requires a complete re-install
because of library compatibility issues.  I am exploring some other Linux
releases, particularly Aurora, so that we can get on to a modern kernel.

     Other than that, I'm trying to log this data to find out exactly what
they're sending and if it's something we can block but I haven't been able to
catch an attack live and can't just leave logging on because the volume is such
that it generates hundreds of megabytes a minute and it's very CPU intensive on
the router making the router itself vulnerable to attack when detailed logging
is on.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
 Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
   Knowledgable human assistance, not telephone trees or script readers.
 See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.