[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
- To: "Kai" <kai@xxxxxxxxx>, kimms@xxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
- From: nix@xxxxxxxxxxxxxxxx
- Date: Tue, 28 Jun 2011 17:44:56 +0300
> Hi,
>
> its kinda <s>stupid</s> incorrect way of detecting ddos by reading http
> responce.
> if server says error 408, it could be just a script which takes long to
> complete. if there is some caching server, e.g. nginx, before actual web
> server, e.g. apache httpd, then error 502 could be a result of any
> apache death, not a ddos attack.
> but if you still want to monitor sites in such "unusual" way, and if
> you have access to web-servers' serverstatus, you'd could parse them to
> find out: amount of simultaneous requests; similar requests by IP;
> similar requests by Requested Page; etc.
>
>
>
> --
> Cheers,
>
> Kai
>
Definitely. One way could be also using mod_qos, it provides protection
against slowtoris attack and you can limit amount of allowed simultaneus
connections per IP. Here's an example output from log:
Slowtoris:
[Tue Jun 28 02:30:07 2011] [error] mod_qos(034): access denied,
QS_SrvMinDataRate rule (in): min=154,
this connection=0, c=64.132.201.98
Too many conns. per IP
[Sun Jun 26 05:13:15 2011] [error] mod_qos(031): access denied,
QS_SrvMaxConnPerIP rule: max=15, concurrent connections=21,
message repeated 20 times, c=10.100.12.19
Check out http://opensource.adnovum.ch/mod_qos/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/