On Tue, 16 Nov 2004, Arjen de Korte wrote:
To: suse-security@suse.com From: Arjen de Korte
Subject: Re: [suse-security] Detection of DoS Attacks on Webserver Just ignoring (firewalling) incoming traffic is not going to keep your webserver on the net, when bandwidth is depleted. A firewall rule on your side is not going to stop a DDoS attack if it is saturating your connection (a coordinated attack from a few hundred zombies probably will be sufficient). Now how is such an automated tool supposed to contact your uplink provider and filter out this traffic, before it can clog your connection?
Arjen
--snip-- I think there is a way to detect DDoS attacks as well. IIRC, a DDoS attack is done by many machines sending TCP connection requests to different http servers, with the source IP address being spoofed with the IP address of the http server to target in the attack. As the different servers receive the TCP connect requests, they respond by sending an SYN/ACK packet back to the spoofed address of the server under attack. Why would a http server send out an SYN connection request to another http server? AFAIK It's only the browsers that normally send TCP connection request packets to http servers. The way I see it is like this: If a http web server is receiving loads of SYN/ACK packets then this is NOT normal or expected behaviour, as it's the servers job to send out these packets to a client's browser, in response to the original SYN new connection request sent by that client. I think it may be possible to set up some sort of firewall packet level monitoring, that would be implemented in the main routers on the internet. This packet monitoring would then look for packets with the following characteristics: 1> the destination IP address is the same (it has to be the same, otherwise the DDoS attack would not work!) 2> the packet is a SYN/ACK packet (which should not really under normal circumstances be being sent to an http server - not to sure about proxies or http forwarding requests though) these suspect SYN/ACK response packets are all targeting the same IP destination address. This is definately NOT normal behaviour. (A client will send out a few SYN new connection request packets to a web server, then wait for the SYN/ACK response from that server, returning to the client.) Under a heavy DDoS attack, there will be a great amount of the above type of packets, all sent to the same IP address. This is usually enough to block all access to the server, by virtue of the sheer number of packets being sent. The main internet routers should then be able to build the appropriate dynamic firewall rules to block all these suspect packets. This would stop the DDoS attack from even reaching it's intended target. The web server should then be able to function as normal, without even being aware that it under a DDoS attack! --snip-- Kind Regards - Keith Roberts http://www.karsites.net