Date:  Fri, 15 Jun 2007 20:42:33 +0300
From:  Arthur Sherman <arturs (at mark) netvision.net.il>
Subject:  [coba-e:10138] FYI: BQ brought down by DDoS attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <000401c7af74$8e3d07e0$3701a8c0@user33b5201c50>
X-Mail-Count: 10138

Howdy,

Yesterday, I watched my server being brought down by quite light DDoS
attack.

The attack went on several channels:
1) Most attack concentrated on port 80; I had mono and munin installed, and
it made a big difference. Cummulative http/mono/munin load some times
reached 8.5. I had to uninstall both mono and munin (fortunately, I could
afford to do this), and the load dropped to 4-7;
2) Mail: SYN attack on TCP/110 - this had overloaded MailScanner;
3) most disturbing: I saw fcheck working hard. If I get this right, this
means that some heavy file writing went on. I'm still investigating this.

The attack went from 2-3 IP's simultaneously
The server: TYAN Transport GT20 w/ 3GB RAM, very lightly loaded, load
average is 0.09
Michael's Security Package installed (this actually helped a bit. After
blacklisting offending IP, the load dropped to 3-4 - thanks, Michael!)


Best,

Arthur