On Saturday 13 November 2004 17:35, suse@karsites.net wrote:
Hi Markus.
Interesting topic.
Agreed and I've done some work in this area. http://www.networkengineer.biz/ExecutiveADS/index.htm
Your idea seems very handy for doing forensic analysis, after a HTTP-DoS/DDoS attack.
actually one can nip such in the bud and tell others.
I think that IPTables firewall could be used to help limit or prevent such attacks from occuring.
Alas such solution is quite linux-specific. This problem is of far wider scope. Even if you argue to leave Microsoft users of IIS to their fate apache runs on far more than Linux.
There is a development library for the IPTables packet filter, that allows a user to write loadable modules for the packet filter.
yes that's a reasonable approach on Linux but you have to construct solutions in a modular fashion. Certainly "firewall rule" is an option (but you can't just stick it in there and leave it forever, it has to be aged out at some point)
I think it should be possible to write a module that will que incoming packets in userland memory. The packets can then be inspected for certain clues that would be indicative of a HTTP-DoS attack.
very apache-specific. Furthermore, the API may well change -- indeed can same module work on v1 and v2 apache? no.
DDoS may be a bit more trickier to detect, as the source IP's will be varied, but even so, there may still be a very high number of new connection requests coming, in a very short time, from the same source IP, which would indicate a possible DoS or DDoS attack underway.
Ah, but in this case you see they are open proxies and if you but detect them with my Perl module for same...
I need to write a white paper on this, and make it available for all to read, and hopefully someone will take up the idea and develop it into something functional!
Actually I need to -publish- a paper on this at a conference this spring. Whitepaper is already up and far more comprehensive in its vision. funding would help.