-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2005-10-27 at 18:09 +0200, media Formel4 wrote:
I don't think that works out. Whenever I might send a FIN - what
Mitigating DDoS attacks is mostly contingent on the type of attack going on. Back in the older days, simple SYN cookies and proper load ballancing could mitigate most of the attacks going on. Attacks are much more complicated these days. I've seen DDoS attacks in the form of DNS requests. You get 20k machines requesting queries from your DNS server, GOOD LUCK! It's also worth noting that changing IP addresses works about as often as the other criticized suggestions. A large portion of the attacks going on these days, reflect what the underground hackers are calling "DRDoS" attacks. These attacks involve dropping uplink providers by overwhelming border-gate routers and the likes. Changing your ip address will have absolutely no effect in these cases. It's hard to tell when these types of attacks are going on because the gate router, doing its job, simply submits the traffic to the entire subnet. I've disassembled drone nets that exceeded 20k infected machines. Some of them were dial-up accounts, most of them were cable/dsl accounts. Attacks don't need to be "professional" in any capacity. 20k dialup connections is enough to do some sort of damage. In most cases, packet throttling with QoS and Syn cookies, is a viable means of mitigating attacks. Of course it doesn't always work. I'm Joe Schmo sitting at home with $50 pseudo router. But if you're running a business, on the internet, you need to have some of these "best practices" ironed out. Also, colocations (i think it was mentioned in an earlier posting) seems to be quite productive in mitigating several forms of DDoS attacks out there. Tim Rainier Information Services, Kalsec, INC trainier@kalsec.com "Carlos E. R." <robin1.listas@tiscali.es> wrote on 10/30/2005 07:16:40 AM: prevents my
Apache from being attacked from the same bot after seconds again?
The script would have to do both things, close the connection in apache and lock the incoming IP. But, if those IPs are spoofed, as you think, chances are some will seem to come from your real clients sometime. Best
thing would probably be a module in apache for ignoring empty requests. Is it doable?
What about the MACs, can they be traced? Any matches there? Forgive me if that's a novice like question.
- -- Cheers, Carlos Robinson
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFDZLmztTMYHG2NR9URAuinAJ4rmdmf58Aa7QAx6RjuYs944Q58qQCdG5wP 8Ge19SbRy4DaVBB2M/jjfDo= =fbKO -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here