Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] Detection of DoS Attacks on Webserver
  • From: Dana Hudes <dhudes@xxxxxxxxxxx>
  • Date: Wed, 17 Nov 2004 23:40:52 -0500 (EST)
  • Message-id: <Pine.LNX.4.58.0411172336100.22@xxxxxxxxxxxxxxxxxxxx>
A denial of service attack is one thing if its smurf but ISPs often
rate-limit ICMP as a matter of policy to perhaps 64kbit/second.
this may be triggerd only after certain volume etc.

A web site is normally attacked with tcp open and perhaps even more it is
attacked by sending various buffer overrun and of course brute force
password attacks. Blocking Ip packets from the source address of such
attackers at even the local host of the web server itself still prevents
it from getting up the stack to the application layer where it causes all
sorts of httpd processing. Instead you just throw the SYN on the floor.
Far more effective than a .htaccess rule at reducing the load on your
server. If you can clip it at the WAN gateway router so much the better.
Of course one would like to have ISP filter it but no system exists now to
distribute in an authenticated manner the IP address of zombies and other
attackers.

My work includes plans for such mechanisms.




< Previous Next >
References