DoS attack ?

Hi,

i found there are 500 process for my server when i >top
Normally , its only 200+ .. i suspect someone is attacking me..


the IP is from a proxy server, and its attacking my ads system ...

help me out

Thanx
bsh
bsherAsked:
Who is Participating?
 
jlevieConnect With a Mentor Commented:
It might or might not be a DOS attack.

If the excess processes are repeated instances of some service that your system provides that accepts network connections, then it's possibly a DOS attack. Of course it could also be some malfunctionind system or (in this case) proxy server. If the excess processes aren't network apps, then it's more likely that you've got some local problem.

If you have evidence that's it's a DOS attack (intentional or otherwise), the only solution is to block the source IP(s) from connecting to your server or services. How you accomplish this depends on whether there's a router or firewall (that you control & can configure) between you and the source, or whether the IP restrictions can be imposed on the application (either via a conf file or tcpwrappers).

BTW, I haven't a clue as to what an "ads server" is.
0
 
bsherAuthor Commented:
ads server = advertising system...

how can i trace the real 'guy' behind the proxy
0
 
bsherAuthor Commented:
ads server = advertising system...

how can i trace the real 'guy' behind the proxy
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jlevieCommented:
Without direct access to the proxy server, or cooperation from whoever is responsible for it, there's not any way to tell who is actually originating the traffic. At the TCP/IP level all of the data will pint back to the proxy server and no further. You have to examine the logs of the proxy to find out what "inside" address caused the traffic.

At this point, if it were me, I'd institute an IP block to reject all traffic from the proxy server just to protect my system. That's easy for me to say, since I always have something with filtering/firewall capabilities between systems I manage/use (even my home machines) and the Internet. Depending on how you are set up it might not be as easy. Then I'd find out who is the Administrative Contact (via whois) for the domain the proxy server is in, contact them and have them do something about it.
0
 
jonkeCommented:
If you know the ip address the attack is coming from and you wish to deny service but without a firewall, on a Solaris system you can set up basic tcp wrappers. I don't know if this would work for any other flavour of unix. Create a file called /etc/hosts.deny and out the following line in:

ALL:100.100.100.100

Where the ip address 100.100.100.100 is replaced with the ip address of the proxy server. This will deny all attempted connections from this address.

0
 
jlevieCommented:
He might be able to use tcp wrappers, if his application is suitable for use with same. Whether they will work in this case depends the app and the nature of the attack. It might be that a more general solution is needed, like ipfilter (cheops.anu.edu.au/~avalon/ip-filter.html).
0
 
jonkeCommented:
/etc/hosts.deny should have no effect on any applications running on the machine though. It will just deny service to one particular ip address.
0
 
jlevieCommented:
Nope, in the case of tcp wrappers ALL just means every service that's been "wrapped", i.e., those services listed in inetd.conf that look like:
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a

The operative part is that the daemon inetd will summon on a connect on that service is /usr/sbin/tcpd. It in turn will check the hosts.deny, and if it's okay will pass the connection to the actual daemon (in.ftpd in this case).
0
 
jonkeCommented:
How does contradict what I said?
0
 
jlevieCommented:
Because it doesn't "deny all attempted connections from this address". It only denies access from that machine to "wrapped" services. His "ads" service may well be a custom app listening on some UDP port for all we know (not under control of inetd and quite possibly not "wrappale".
0
 
jonkeCommented:
Good point
0
 
bsherAuthor Commented:
i had blocking all the request form that proxy IP,

and now my server load is quite okay....

Thanx guys
0
All Courses

From novice to tech pro — start learning today.