[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
From: Emanuel dos Reis Rodrigues <emanueldosreis@xxxxxxxxx>
Date: Tue, 28 Jun 2011 11:21:08 -0400

Hello folks,


The modsecurity have a better result than mod_qos to slowloris attack, 
mod_qos trend to increase the false positives  because of NAT and slow 
users.

If you test the R-U-D-Y,  you see that, modsecurity too  protect against 
them.

See: 
http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html


best regards,



Emanuel dos Reis Rodrigues
Senior Level Linux Professional (LPIC-3)
LPI 302 (Mixed Environment) Specialty
LPI 304 (Virtualization and High Availability) Specialty
C|EH Certified Ethical Hacker
CompTIA Security+ Certified
http://br.linkedin.com/in/emanuelreis
t:@emanueldosreis
emanueldosreis(No*SpAm)gmail.com
Mobile: +55 95 8112-9628







On 06/28/2011 10:44 AM, nix@xxxxxxxxxxxxxxxx wrote:
>>   Hi,
>>
>>   its kinda<s>stupid</s>  incorrect way of detecting ddos by reading http
>>   responce.
>>   if server says error 408, it could be just a script which takes long to
>>   complete. if there is some caching server, e.g. nginx, before actual web
>>   server, e.g. apache httpd, then error 502 could be a result of any
>>   apache death, not a ddos attack.
>>   but if you still want to monitor sites in such "unusual" way, and if
>>   you have access to web-servers' serverstatus, you'd could parse them to
>>   find out: amount of simultaneous requests; similar requests by IP;
>>   similar requests by Requested Page; etc.
>>
>>
>>
>> --
>>   Cheers,
>>
>>   Kai
>>
>>      
> Definitely. One way could be also using mod_qos, it provides protection
> against slowtoris attack and you can limit amount of allowed simultaneus
> connections per IP. Here's an example output from log:
>
> Slowtoris:
>
> [Tue Jun 28 02:30:07 2011] [error] mod_qos(034): access denied,
> QS_SrvMinDataRate rule (in): min=154,
> this connection=0, c=64.132.201.98
>
> Too many conns. per IP
>
> [Sun Jun 26 05:13:15 2011] [error] mod_qos(031): access denied,
> QS_SrvMaxConnPerIP rule: max=15, concurrent connections=21,
> message repeated 20 times, c=10.100.12.19
>
> Check out http://opensource.adnovum.ch/mod_qos/
>
>    
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>      
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
  - From: 김무성
- Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
  - From: Kai
- Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
  - From: nix

Prev by Date: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
Next by Date: Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
Previous by thread: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
Next by thread: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
Index(es):
- Date
- Thread