mod-security-users

[mod-security-users] ad-on for mod_security

[dubai <sev...@ya...>]

to your information see:
https://events.ccc.de/congress/2005/wiki/Gulliddos
----------
Hi there,

We now get Step2 of the ddos! We get udp-floods to
port 80. We have currently no own router in front of,
so we cant block the requests. Services on all
websites (antispam, computerbetrug and antispam) down
for 1-2 hours. Update: Our ISP is blocking the
udp-flood for us.

[1] is the biggest german "underground portal". We and
3 other german customer protection websites
(dialerschutz.de, antispam.de and computerbetrug.de)
get currently a big ddos by an unknown attacker. We
have collected a lot of information, and want to make
them public here.

It seems that the attacker build a botnet with about
5.000 zombies. We found a way to identify most of the
affected hosts. Now we blacklist all those hosts by
hi-pac (an iptables-replacement), so the site is still
up.

Here is a list with all clients we currently block:
https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt

(anyone knows how to upload some stuff with no
"/images" in the url? :) )

Our current setup includes the following:

mod_security is activated in apache. Then we do the
following match:

SecFilterEngine On SecFilterSelective "FOOBAR"
"uninteresting"
"log,status:500,exec:/usr/local/bin/mod_security/wrapper"

/usr/local/bin/mod_security/wrapper is an modified
wrapper, which gets the ip of the attacker as an
argument. Those ips are added to our blacklist with
iptables.


The most of those hosts should be owned by some
rootkit or trojan horse. So feel free to investigate.
Maybe something interessting is there ;-)


If you have some questions or informations: contact
deg...@ja... or icq 169800965 or mail:
cd...@wa...


Our new wrapper is available at
http://download.wavecon.de - its gpl, so use it! :) 


	

	
		
___________________________________________________________ 
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

Re: [mod-security-users] ad-on for mod_security

[Jason E. <jed...@ca...>]

On an interesting , but possibly relevant note:

I've noticed that the number of web spam attempts on my server has 
dropped by 90% since Jan 2. I'm not sure if this is relevant or not.

Just thought I would share.

Jason

dubai wrote:

>to your information see:
>https://events.ccc.de/congress/2005/wiki/Gulliddos
>----------
>Hi there,
>
>We now get Step2 of the ddos! We get udp-floods to
>port 80. We have currently no own router in front of,
>so we cant block the requests. Services on all
>websites (antispam, computerbetrug and antispam) down
>for 1-2 hours. Update: Our ISP is blocking the
>udp-flood for us.
>
>[1] is the biggest german "underground portal". We and
>3 other german customer protection websites
>(dialerschutz.de, antispam.de and computerbetrug.de)
>get currently a big ddos by an unknown attacker. We
>have collected a lot of information, and want to make
>them public here.
>
>It seems that the attacker build a botnet with about
>5.000 zombies. We found a way to identify most of the
>affected hosts. Now we blacklist all those hosts by
>hi-pac (an iptables-replacement), so the site is still
>up.
>
>Here is a list with all clients we currently block:
>https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt
>
>(anyone knows how to upload some stuff with no
>"/images" in the url? :) )
>
>Our current setup includes the following:
>
>mod_security is activated in apache. Then we do the
>following match:
>
>SecFilterEngine On SecFilterSelective "FOOBAR"
>"uninteresting"
>"log,status:500,exec:/usr/local/bin/mod_security/wrapper"
>
>/usr/local/bin/mod_security/wrapper is an modified
>wrapper, which gets the ip of the attacker as an
>argument. Those ips are added to our blacklist with
>iptables.
>
>
>The most of those hosts should be owned by some
>rootkit or trojan horse. So feel free to investigate.
>Maybe something interessting is there ;-)
>
>
>If you have some questions or informations: contact
>deg...@ja... or icq 169800965 or mail:
>cd...@wa...
>
>
>Our new wrapper is available at
>http://download.wavecon.de - its gpl, so use it! :) 
>
>
>	
>
>	
>		
>___________________________________________________________ 
>Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>  
>