Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] Detection of DoS Attacks on Webserver
  • From: Dana Hudes <dhudes@xxxxxxxxxxx>
  • Date: Sat, 13 Nov 2004 20:03:07 -0500
  • Message-id: <200411132003.07363.dhudes@xxxxxxxxxxx>

On Saturday 13 November 2004 17:35, suse@xxxxxxxxxxxx wrote:
> Hi Markus.
>
> Interesting topic.
>
Agreed and I've done some work in this area.
http://www.networkengineer.biz/ExecutiveADS/index.htm

> Your idea seems very handy for doing forensic analysis,
> after a HTTP-DoS/DDoS attack.

actually one can nip such in the bud and tell others.
>
> I think that IPTables firewall could be used to help
> limit or prevent such attacks from occuring.
>
Alas such solution is quite linux-specific. This problem is of far wider
scope. Even if you argue to leave Microsoft users of IIS to their fate
apache runs on far more than Linux.

> There is a development library for the IPTables packet
> filter, that allows a user to write loadable modules for the
> packet filter.

yes that's a reasonable approach on Linux but you have to construct solutions
in a modular fashion. Certainly "firewall rule" is an option (but you can't
just stick it in there and leave it forever, it has to be aged out at some
point)
>
> I think it should be possible to write a module that will
> que incoming packets in userland memory. The packets can
> then be inspected for certain clues that would be indicative
> of a HTTP-DoS attack.
>
very apache-specific. Furthermore, the API may well change -- indeed can same
module work on v1 and v2 apache? no.

> DDoS may be a bit more trickier to detect, as the source
> IP's will be varied, but even so, there may still be a very
> high number of new connection requests coming, in a very
> short time, from the same source IP, which would indicate a
> possible DoS or DDoS attack underway.

Ah, but in this case you see they are open proxies and if you but detect them
with my Perl module for same...

> I need to write a white paper on this, and make it available
> for all to read, and hopefully someone will take up the idea
> and develop it into something functional!

Actually I need to -publish- a paper on this at a conference this spring.
Whitepaper is already up and far more comprehensive in its vision.
funding would help.



< Previous Next >
Follow Ups
References