For the past few weeks my server has been DoS attacked. Not enough to bring the entire server down but enough to disable mail and other less important things in the process list throuhout the duration.
I am running FreeBSD 4.9
and installed/configured ipfw with a simple setup. It has helped a little by bringing down the effectiveness of the attacks by about 40% at which the server is able to handle them without any loss of services...
I've attached the simple firewall setup that is in use and would like recommendations on finding and blocking the attacker and all future attacks of this nature.
I have gone through the logs but there is no pattern that I can tell except that it appears that my server is initiating the transfers to various ips on odd ports at approx. 6 hour intervals in 1-2 hour sessions(No cron jobs or anything on the domain that it originates from, just a normal website.)
I also added these lines at the very start of the script at one time to see if it was spoofing but nothing turned up there.
add deny log all from 65.254.44.171: (subnet) to any in via fxp0
add deny log all from 65.254.44.171 to any in via fxp0
Thanks for the recommendations.
I am running FreeBSD 4.9
and installed/configured ipfw with a simple setup. It has helped a little by bringing down the effectiveness of the attacks by about 40% at which the server is able to handle them without any loss of services...
I've attached the simple firewall setup that is in use and would like recommendations on finding and blocking the attacker and all future attacks of this nature.
I have gone through the logs but there is no pattern that I can tell except that it appears that my server is initiating the transfers to various ips on odd ports at approx. 6 hour intervals in 1-2 hour sessions(No cron jobs or anything on the domain that it originates from, just a normal website.)
I also added these lines at the very start of the script at one time to see if it was spoofing but nothing turned up there.
add deny log all from 65.254.44.171: (subnet) to any in via fxp0
add deny log all from 65.254.44.171 to any in via fxp0
Thanks for the recommendations.