Educause Security Discussion mailing list archives

Re: diagnosing possible DOS

From: Alexander Kurt Keller <alkeller () SFSU EDU>
Date: Sat, 7 Jan 2012 02:18:29 +0000
Thank you Steven, Randall, Kevin, and Kay for your thoughtful responses to my query about our DOS condition. We are 
continuing to experiment but have started to bring the situation under control by clearing the errant content, using 
mod_security to restrict aggressive hosts, and implementing a PHP timeout on stalled requests. The Google webmaster 
tools proved useful for understanding what content was being searched for by visitors directed to our site as a result 
of the SEO tomfoolery. 

I'll post back to the list as merited, but wanted to say thank you for the assistance!

Best,
alex

Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller () sfsu edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven 
Alexander
Sent: Thursday, January 05, 2012 5:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] diagnosing possible DOS

Wireshark and other sniffers are useful if you want to take a look at some individual connections to see what is 
happening, but not for detecting DoS or other malicious activity in the first place.  Your better bet would be to 
record session data using Argus or Cisco  Netflows.  You can also deploy an IDS, but I'd focus on getting session data 
first. The session data will give you a short record of every session with a timestamp, source/destination IP, 
source/destination port, in/out packet count and/or in/out bytes transferred.  If you identify a potential issue from 
session logs or web server logs (based on timing, volume, etc), you can grab a full packet sniff with 
Wireshark/tcpdump/tethereal to tell you exactly what is happening.

If you can log full content all the time, that will be very helpful in following up on any suspicious activity but 
you'll never want to use it as your first source of information.

You may also want to develop some scripts for scanning your web server logs.  If you develop scripts to extract all 
entries corresponding to a specific IP, error code, or time frame it will make it much easier to review logs in future 
investigations.

My $.02,

Steven

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Alexander Kurt 
Keller [alkeller () SFSU EDU]
Sent: Thursday, January 05, 2012 11:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] diagnosing possible DOS

Hello Folks,

Requesting suggestions to diagnose an Apache issue (Ubuntu server 8.04 LTS with Apache 2.2.8 serving custom PHP 
application with MySQL backend).  Server runs normally for a few hours and then Apache locks up, logs entries simply 
halt. Strace on the Apache processes all look like this:

Process 31281 attached - interrupt to quit
     0.000000 restart_syscall(<... resuming interrupted call ...>) = 0
     0.538531 poll([{fd=15, events=POLLIN|POLLPRI}], 1, 0) = 0
     0.000100 gettimeofday({1324400675, 745453}, NULL) = 0
     0.000046 gettimeofday({1324400675, 745492}, NULL) = 0
     0.000032 gettimeofday({1324400675, 745524}, NULL) = 0

We identified that a website blog function had allowed for significant commercial blog spam to be posted on the site 
(nonsensical text with lots of links to commercial sites: “Ugg boots clearance”, “Denim jackets cheap”, etc.), those 
posts have been deleted and the blog mechanism has been secured. Reviewing the Apache logs and Wireshark captures, we 
see that we have a LOT of traffic trying to get to those unauthorized (and now unresolvable) blog entries. Many of the 
requesting IPs are reverse proxies and search engine bots who seem to be crawling those spam URLs very aggressively.

We have concluded that our site was leveraged for a search engine “optimization” campaign, but now it appears we are 
suffering from a denial of service condition that may not have been intentional (If we were selling Ugg boots, we would 
be rich by now). We have some leads on mitigation: blocking aggressive hosts, mod_security, etc., but on a more 
fundamental level we are hoping to use this opportunity to educate ourselves on what to look for (and how to look for 
it) when experiencing these sort of events.

Any hints on Wireshark log parsing options for diagnosing DOS? Any thoughts on this behavior and the underpinnings of 
unscrupulous SEO campaigns?

I’ll take this opportunity to thank everyone for their contributions to the list in 2011 and offer a toast to an 
equally productive 2012!

Cheers,
alex


Alex Keller
Systems Administrator
Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller () sfsu 
edu<mailto:alkeller () sfsu edu>


This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.
Current thread:

diagnosing possible DOS Alexander Kurt Keller (Jan 05)
- Re: diagnosing possible DOS Randall C Grimshaw (Jan 05)
- Re: diagnosing possible DOS Steven Alexander (Jan 05)
  - Re: diagnosing possible DOS Alexander Kurt Keller (Jan 06)
- Re: diagnosing possible DOS Kevin Wilcox (Jan 06)