[cod] Query limiting...
Marco Padovan
evcz at evcz.tk
Sun Oct 23 12:32:36 EDT 2011
Since a few days I'm seeing a new kind of reflection attacks using cod4
servers:
specific servers are being flooded with SYN (?) packets:
18:08:01.202618 IP (tos 0x0, ttl 250, id 17704, offset 0, flags [none],
proto: TCP (6), length: 40) 212.1.15.12.5816 > x.x.x.x.PORT: S, cksum
0x36ab (correct), 0:0(0) win 65535
tcpdump -nn tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn'
18:10:59.416029 IP 173.244.200.117.3306 > X.X.X.X.PORT: S 0:0(0) win 65535
looks really similar to what was described here:
http://understandingcomputers.ca/articles/grc/drdos_copy.html
being just SYN packets the rate is very high (200+ pps)
Is it possible to not reflect this kind of attacks at the application
level too (by rate limiting) or can this be done only at
firewall/networking level?
More information about the cod
mailing list