Menu
▾
▴
Re: [Proftpd-user] Bounce Attack
|
From: Michael S. <mschmidt@Fh-Koblenz.de> - 2002-11-27 10:53:45
|
On Wed, Nov 27, 2002 at 09:24:20AM +0000, Mark Lowes wrote: > On Tue, 2002-11-26 at 17:15, Jeff Grossman wrote: > > Okay, so I do have ProFTPD configured correctly? And, it appears that the > > clients are doing something malicious to try an attack my server? > > You're not the only one getting hit. That's MORE THAN true... > I've been seeing lots of bounce > traffic against one particular vhost on our setup to the point that the > hammering effect caused by the bounces affects the performance of the > box. We're working round this by monitoring the logs and traffic and > filtering out hosts which we deem are abusing the service (particularly > those gits who try and open 20 data connections at once and don't take > the hint about the MaxClientsPerHost limit and keep retrying. There are some ways for dealing around this, some I don't want to talk publicly about, except the following which are: Set the directive TimeoutNoTransfer down to a very low value: * This kicks off those disturbing ones after exceeding TimeoutNoTransfer. * People looking at the ftp site by command line ftp (some may use it) are unfortunately kicked off too, but those are rare. * People looking at the ftp site with browsers aren't affected much as their browsers reconnect silently/smoothly. Set the directive MaxLoginAttempts to a value of 1: * This disturbs the disturbing ones themselves by disconnecting them, at least things become more uncomfortable for them. Set the directive MaxClientsPerHost to a low value: * I don't see a serious reason to allow values higher than one-digit numbers. > Manners and thinking of other netusers other than yourself appear to be > a thing of the past :/ Hey, you aren't so old ;-) that you may speak about the past of the internet, are you? :-) Have a nice day Michael -- Michael Schmidt msc...@fh... MIRROR OF: Ghostscript, DJGPP ...and more |