Your idea seems very handy for doing forensic analysis, after a HTTP-DoS/DDoS attack.
actually one can nip such in the bud and tell others.
did not realise the method Markus was using was almost in real time.
I think that IPTables firewall could be used to help limit or prevent such attacks from occuring.
Alas such solution is quite linux-specific. This problem is of far wider scope. Even if you argue to leave Microsoft users of IIS to their fate apache runs on far more than Linux.
Yes - agreed. Markus idea of using the web server logs is alot more practical - and also should work with any webserver logs, and firewall that supports dymamic loading/unloading of firewall rules! I had ideas on implementing something at a packet filtering level, that would also be possible to implement in main IP backbone routers - by doing some sort of intelligent filtering as close to the source of the DoS attack as possible.
I think it should be possible to write a module that will que incoming packets in userland memory. The packets can then be inspected for certain clues that would be indicative of a HTTP-DoS attack.
very apache-specific. Furthermore, the API may well change -- indeed can same module work on v1 and v2 apache? no.
ditto as above Regards - Keith Roberts Will read & study and reply to Markus's email soon! Starting to formulate some ideas for his version of DoS attack prevention - this could even turn into something of practical use, when Markus has finished his thesis!