Full Disclosure mailing list archives
Re: how to detect DDoS attack through HTTP response analysis(throuput)
From: Emanuel dos Reis Rodrigues <emanueldosreis () gmail com>
Date: Tue, 28 Jun 2011 11:21:08 -0400
Hello folks, The modsecurity have a better result than mod_qos to slowloris attack, mod_qos trend to increase the false positives because of NAT and slow users. If you test the R-U-D-Y, you see that, modsecurity too protect against them. See: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html best regards, Emanuel dos Reis Rodrigues Senior Level Linux Professional (LPIC-3) LPI 302 (Mixed Environment) Specialty LPI 304 (Virtualization and High Availability) Specialty C|EH Certified Ethical Hacker CompTIA Security+ Certified http://br.linkedin.com/in/emanuelreis t:@emanueldosreis emanueldosreis(No*SpAm)gmail.com Mobile: +55 95 8112-9628 On 06/28/2011 10:44 AM, nix () myproxylists com wrote:
Hi, its kinda<s>stupid</s> incorrect way of detecting ddos by reading http responce. if server says error 408, it could be just a script which takes long to complete. if there is some caching server, e.g. nginx, before actual web server, e.g. apache httpd, then error 502 could be a result of any apache death, not a ddos attack. but if you still want to monitor sites in such "unusual" way, and if you have access to web-servers' serverstatus, you'd could parse them to find out: amount of simultaneous requests; similar requests by IP; similar requests by Requested Page; etc. -- Cheers, KaiDefinitely. One way could be also using mod_qos, it provides protection against slowtoris attack and you can limit amount of allowed simultaneus connections per IP. Here's an example output from log: Slowtoris: [Tue Jun 28 02:30:07 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=154, this connection=0, c=64.132.201.98 Too many conns. per IP [Sun Jun 26 05:13:15 2011] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=15, concurrent connections=21, message repeated 20 times, c=10.100.12.19 Check out http://opensource.adnovum.ch/mod_qos/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- how to detect DDoS attack through HTTP response analysis(throuput) 김무성 (Jun 26)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) Dobbins, Roland (Jun 26)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) Kai (Jun 26)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) nix (Jun 28)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) Emanuel dos Reis Rodrigues (Jun 28)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) nix (Jun 28)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) coderman (Jun 28)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) Ferenc Kovacs (Jun 29)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) 김무성 (Jun 29)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) coderman (Jun 29)