Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] Detection of DoS Attacks on Webserver
  • From: suse@xxxxxxxxxxxx
  • Date: Wed, 17 Nov 2004 23:56:35 +0000 (GMT)
  • Message-id: <Pine.LNX.4.44.0411172351430.3063-100000@xxxxxxxxxxxx>

On Tue, 16 Nov 2004, Arjen de Korte wrote:

> To: suse-security@xxxxxxxx
> From: Arjen de Korte <suse+security@xxxxxxxxxxxx>
> Subject: Re: [suse-security] Detection of DoS Attacks on Webserver
> Just ignoring (firewalling) incoming traffic is not going to keep your
> webserver on the net, when bandwidth is depleted. A firewall rule on your
> side is not going to stop a DDoS attack if it is saturating your connection
> (a coordinated attack from a few hundred zombies probably will be
> sufficient). Now how is such an automated tool supposed to contact your
> uplink provider and filter out this traffic, before it can clog your
> connection?
> Arjen


I think there is a way to detect DDoS attacks as well.

IIRC, a DDoS attack is done by many machines sending TCP
connection requests to different http servers, with the
source IP address being spoofed with the IP address of the
http server to target in the attack.

As the different servers receive the TCP connect requests,
they respond by sending an SYN/ACK packet back to the
spoofed address of the server under attack.

Why would a http server send out an SYN connection request
to another http server?

AFAIK It's only the browsers that normally send TCP
connection request packets to http servers.

The way I see it is like this:

If a http web server is receiving loads of SYN/ACK packets
then this is NOT normal or expected behaviour, as it's the
servers job to send out these packets to a client's browser,
in response to the original SYN new connection request sent
by that client.

I think it may be possible to set up some sort of firewall
packet level monitoring, that would be implemented in the
main routers on the internet.

This packet monitoring would then look for
packets with the following characteristics:

1> the destination IP address is the same (it has to be the
same, otherwise the DDoS attack would not work!)

2> the packet is a SYN/ACK packet (which should not really
under normal circumstances be being sent to an http
server - not to sure about proxies or http forwarding
requests though)

these suspect SYN/ACK response packets are all targeting the same IP
destination address. This is definately NOT normal behaviour.

(A client will send out a few SYN new connection request
packets to a web server, then wait for the SYN/ACK response
from that server, returning to the client.)

Under a heavy DDoS attack, there will be a great amount of
the above type of packets, all sent to the same IP address.
This is usually enough to block all access to the server, by
virtue of the sheer number of packets being sent.

The main internet routers should then be able to build the
appropriate dynamic firewall rules to block all these
suspect packets.

This would stop the DDoS attack from even reaching it's
intended target. The web server should then be able to
function as normal, without even being aware that it under
a DDoS attack!


Kind Regards - Keith Roberts

< Previous Next >
Follow Ups