-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2005-10-27 at 18:09 +0200, media Formel4 wrote:
I don't think that works out. Whenever I might send a FIN - what
Mitigating DDoS attacks is mostly contingent on the type of attack going
on.
Back in the older days, simple SYN cookies and proper load ballancing
could mitigate
most of the attacks going on.
Attacks are much more complicated these days. I've seen DDoS attacks in
the form of DNS requests.
You get 20k machines requesting queries from your DNS server, GOOD LUCK!
It's also worth noting that changing IP addresses works about as often as
the other criticized suggestions.
A large portion of the attacks going on these days, reflect what the
underground hackers are calling "DRDoS" attacks.
These attacks involve dropping uplink providers by overwhelming
border-gate routers and the likes.
Changing your ip address will have absolutely no effect in these cases.
It's hard to tell when these types of attacks are going on
because the gate router, doing its job, simply submits the traffic to the
entire subnet.
I've disassembled drone nets that exceeded 20k infected machines. Some of
them were dial-up accounts, most of them
were cable/dsl accounts.
Attacks don't need to be "professional" in any capacity. 20k dialup
connections is enough to do some sort of damage.
In most cases, packet throttling with QoS and Syn cookies, is a viable
means of mitigating attacks.
Of course it doesn't always work. I'm Joe Schmo sitting at home with $50
pseudo router.
But if you're running a business, on the internet, you need to have some
of these "best practices" ironed out.
Also, colocations (i think it was mentioned in an earlier posting) seems
to be quite productive in mitigating several forms
of DDoS attacks out there.
Tim Rainier
Information Services, Kalsec, INC
trainier@kalsec.com
"Carlos E. R."
Apache from being attacked from the same bot after seconds again?
The script would have to do both things, close the connection in apache and lock the incoming IP. But, if those IPs are spoofed, as you think, chances are some will seem to come from your real clients sometime. Best
thing would probably be a module in apache for ignoring empty requests. Is it doable?
What about the MACs, can they be traced? Any matches there? Forgive me if that's a novice like question.
- -- Cheers, Carlos Robinson
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFDZLmztTMYHG2NR9URAuinAJ4rmdmf58Aa7QAx6RjuYs944Q58qQCdG5wP 8Ge19SbRy4DaVBB2M/jjfDo= =fbKO -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here