Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] Detection of DoS Attacks on Webserver
  • From: suse@xxxxxxxxxxxx
  • Date: Sat, 13 Nov 2004 22:35:10 +0000 (GMT)
  • Message-id: <Pine.LNX.4.44.0411132219520.2811-100000@xxxxxxxxxxxx>

Hi Markus.

Interesting topic.

Your idea seems very handy for doing forensic analysis,
after a HTTP-DoS/DDoS attack.

I think that IPTables firewall could be used to help
limit or prevent such attacks from occuring.

There is a development library for the IPTables packet
filter, that allows a user to write loadable modules for the
packet filter.

I think it should be possible to write a module that will
que incoming packets in userland memory. The packets can
then be inspected for certain clues that would be indicative
of a HTTP-DoS attack.

DDoS may be a bit more trickier to detect, as the source
IP's will be varied, but even so, there may still be a very
high number of new connection requests coming, in a very
short time, from the same source IP, which would indicate a
possible DoS or DDoS attack underway.

The user written module should then be able to generate and
add new rules to the IPTables firewall, to block such
DoS/DDoS attacks.

After a certain amount of time, the user written module
should then be able to remove those added rules from the
firewall packet filter.

I suppose you would call this adaptive or intelligent
firewalling, as the firewall adapts itself in response
to what it sees in the INPUT chain.

I need to write a white paper on this, and make it available
for all to read, and hopefully someone will take up the idea
and develop it into something functional!

Kind Regards - Keith Roberts

< Previous Next >
Follow Ups