lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <94cf6157ea634339b27c3ab00cfd7124.squirrel@gameframe.net>
Date: Tue, 28 Jun 2011 17:44:56 +0300
From: nix@...roxylists.com
To: "Kai" <kai@...nn.net>,
 kimms@...osec.co.kr
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: how to detect DDoS attack through HTTP
 response analysis(throuput)

>  Hi,
>
>  its kinda <s>stupid</s> incorrect way of detecting ddos by reading http
>  responce.
>  if server says error 408, it could be just a script which takes long to
>  complete. if there is some caching server, e.g. nginx, before actual web
>  server, e.g. apache httpd, then error 502 could be a result of any
>  apache death, not a ddos attack.
>  but if you still want to monitor sites in such "unusual" way, and if
>  you have access to web-servers' serverstatus, you'd could parse them to
>  find out: amount of simultaneous requests; similar requests by IP;
>  similar requests by Requested Page; etc.
>
>
>
> --
>  Cheers,
>
>  Kai
>

Definitely. One way could be also using mod_qos, it provides protection
against slowtoris attack and you can limit amount of allowed simultaneus
connections per IP. Here's an example output from log:

Slowtoris:

[Tue Jun 28 02:30:07 2011] [error] mod_qos(034): access denied,
QS_SrvMinDataRate rule (in): min=154,
this connection=0, c=64.132.201.98

Too many conns. per IP

[Sun Jun 26 05:13:15 2011] [error] mod_qos(031): access denied,
QS_SrvMaxConnPerIP rule: max=15, concurrent connections=21,
message repeated 20 times, c=10.100.12.19

Check out http://opensource.adnovum.ch/mod_qos/

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ