Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] Detection of DoS Attacks on Webserver
  • From: suse@xxxxxxxxxxxx
  • Date: Sun, 14 Nov 2004 21:41:43 +0000 (GMT)
  • Message-id: <Pine.LNX.4.44.0411142131480.1962-100000@xxxxxxxxxxxx>

> > Your idea seems very handy for doing forensic analysis,
> > after a HTTP-DoS/DDoS attack.
>
> actually one can nip such in the bud and tell others.

did not realise the method Markus was using was almost in
real time.

> > I think that IPTables firewall could be used to help
> > limit or prevent such attacks from occuring.
> >
> Alas such solution is quite linux-specific. This problem is of far wider
> scope. Even if you argue to leave Microsoft users of IIS to their fate
> apache runs on far more than Linux.

Yes - agreed. Markus idea of using the web server logs is
alot more practical - and also should work with any
webserver logs, and firewall that supports dymamic
loading/unloading of firewall rules!

I had ideas on implementing something at a packet filtering
level, that would also be possible to implement in main IP
backbone routers - by doing some sort of intelligent
filtering as close to the source of the DoS attack as
possible.

> > I think it should be possible to write a module that will
> > que incoming packets in userland memory. The packets can
> > then be inspected for certain clues that would be indicative
> > of a HTTP-DoS attack.
> >
> very apache-specific. Furthermore, the API may well change -- indeed can same
> module work on v1 and v2 apache? no.

ditto as above

Regards - Keith Roberts

Will read & study and reply to Markus's email soon!

Starting to formulate some ideas for his version of DoS
attack prevention - this could even turn into something of
practical use, when Markus has finished his thesis!




< Previous Next >
References