Re: [suse-security] Re: stopping DrDOS attacks against Apache???
Hi Steffen, As you can see, I'm no TCP guru (not yet anyway!) Here is my reply.
Do you really mean Apache, as a user land software? I guess apache works on TCP sockets; for TCP socket the handshake is transparent. How to notice a SYN flood attack from userland? Maybe installing some raw socket for sniffing or such? mmm... not clean and straightforward. Installing a kernel module? Complex. So what is your way of handling that?
Which information? Sorry, I see no benefits for a userland software here. Because of the random pattern you have no choice to decide if a new SYN packet is part of an attack or a client handshake. With limitation of SYN, you jsut reduce the damage of the SYN flood - but it keeps a DOS.
I guess this would be very linux-specific, wouldn't it? How you would start realizing this?
Possibly as a DSO loadable Apache module.
You do not see anything not established in userland, do you?
Perhaps things need to be dealt with on a lower level then?
it does not reply with the ACK packet that the servers are waiting for, to complete the three way TCP new connection initiation sequence.
Ist that true? Isn't a RST sent?
It could be - I'm not sure of the exact sequence. I may be getting way out of my depth here, so I can't say exactly. According to the explanation on grc.com, its SYN, SYN/ACK, then ACK. whatever it is at the moment is not to important.
My idea is to keep a lookup table, possibly inside Apache itself, (maybe as a loadable module to start with for testing, then part of the core server) of all IP source addresses requesting a new connection to Apache that are not completed, and are 'hanging' - waiting for the 3 way TCP handshake to be completed.
yes, what does this help?
The idea is to identify the DrDos packets, and ONLY block those, while allowing ALL othe SYN packets through. Limiting by matching SYN connection packets will block all new connections - so I thought it would be handy just block the DrDoS attacks, and allow all other legit packets into the box.
When certain limits are reached, the server can then release all hung connection attempts to the offending IP source address, and then block any future packets from trying to connect from that IP address, for a certain amount of time - possible an hour or more.
This does help maybe against a SYN reflection DOS, but not against a SYN flood, because here every IP is just used ONCE (approximately, it's random, after all). So blocking does not help. You do not know if its from a DOS attack or a slow client.
I'm not trying to deal with the above issue at the moment Steffan. As each style of DOS attack varies, then it will obviously need a tailored response, specificallt to deal with the style of attack.
Additionally, for my understanding this has nothing to do with Apache (you can use any TCP service).
Perhaps the info I have been reading has been made to simplistic, to aid in the users understanding of the technology. I'm new to TCP protocols, but I'm willing to learn!
BTW, what is the advantage for an attacker to use a SYN reflection instead of a standard mstream style flood?
If you see the info on grc.com, DRDoS link, that should give you alot of info concerning this. Kind Regards - Keith Roberts
Keith Roberts wrote:
Perhaps things need to be dealt with on a lower level then?
would this help? http://cr.yp.to/syncookies.html peace, Tom
Sorry i replied to fast (without reading up drdos), so syn cookies wont help you...(interesting thing that drdos...) peace, Tom Thomas Seliger wrote:
would this help?
http://cr.yp.to/syncookies.html
peace, Tom
participants (2)
-
Keith Roberts -
Thomas Seliger