Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
suse-security-unsubscribe-jbarnoh=tunku.uady.mx@xxxxxxxx


-----Mensaje original-----
De: suse@xxxxxxxxxxxx [mailto:suse@xxxxxxxxxxxx]
Enviado el: Sunday, November 14, 2004 3:42 PM
Para: suse-security@xxxxxxxx
Asunto: Re: [suse-security] Detection of DoS Attacks on Webserver


> > Your idea seems very handy for doing forensic analysis,
> > after a HTTP-DoS/DDoS attack.
>
> actually one can nip such in the bud and tell others.

did not realise the method Markus was using was almost in
real time.

> > I think that IPTables firewall could be used to help
> > limit or prevent such attacks from occuring.
> >
> Alas such solution is quite linux-specific. This problem is of far
wider
> scope. Even if you argue to leave Microsoft users of IIS to their fate
> apache runs on far more than Linux.

Yes - agreed. Markus idea of using the web server logs is
alot more practical - and also should work with any
webserver logs, and firewall that supports dymamic
loading/unloading of firewall rules!

I had ideas on implementing something at a packet filtering
level, that would also be possible to implement in main IP
backbone routers - by doing some sort of intelligent
filtering as close to the source of the DoS attack as
possible.

> > I think it should be possible to write a module that will
> > que incoming packets in userland memory. The packets can
> > then be inspected for certain clues that would be indicative
> > of a HTTP-DoS attack.
> >
> very apache-specific. Furthermore, the API may well change -- indeed
can same
> module work on v1 and v2 apache? no.

ditto as above

Regards - Keith Roberts

Will read & study and reply to Markus's email soon!

Starting to formulate some ideas for his version of DoS
attack prevention - this could even turn into something of
practical use, when Markus has finished his thesis!




--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >
This Thread
  • No further messages