Full Disclosure: Re: how to detect DDoS attack through HTTP response analysis(throuput)

Re: how to detect DDoS attack through HTTP response analysis(throuput)

From: Emanuel dos Reis Rodrigues <emanueldosreis () gmail com>
Date: Tue, 28 Jun 2011 11:21:08 -0400

Hello folks,


The modsecurity have a better result than mod_qos to slowloris attack, 
mod_qos trend to increase the false positives  because of NAT and slow 
users.

If you test the R-U-D-Y,  you see that, modsecurity too  protect against 
them.

See: 
http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html


best regards,



Emanuel dos Reis Rodrigues
Senior Level Linux Professional (LPIC-3)
LPI 302 (Mixed Environment) Specialty
LPI 304 (Virtualization and High Availability) Specialty
C|EH Certified Ethical Hacker
CompTIA Security+ Certified
http://br.linkedin.com/in/emanuelreis
t:@emanueldosreis
emanueldosreis(No*SpAm)gmail.com
Mobile: +55 95 8112-9628







On 06/28/2011 10:44 AM, nix () myproxylists com wrote:

  Hi,

  its kinda<s>stupid</s>  incorrect way of detecting ddos by reading http
  responce.
  if server says error 408, it could be just a script which takes long to
  complete. if there is some caching server, e.g. nginx, before actual web
  server, e.g. apache httpd, then error 502 could be a result of any
  apache death, not a ddos attack.
  but if you still want to monitor sites in such "unusual" way, and if
  you have access to web-servers' serverstatus, you'd could parse them to
  find out: amount of simultaneous requests; similar requests by IP;
  similar requests by Requested Page; etc.



--
  Cheers,

  Kai

Definitely. One way could be also using mod_qos, it provides protection
against slowtoris attack and you can limit amount of allowed simultaneus
connections per IP. Here's an example output from log:

Slowtoris:

[Tue Jun 28 02:30:07 2011] [error] mod_qos(034): access denied,
QS_SrvMinDataRate rule (in): min=154,
this connection=0, c=64.132.201.98

Too many conns. per IP

[Sun Jun 26 05:13:15 2011] [error] mod_qos(031): access denied,
QS_SrvMaxConnPerIP rule: max=15, concurrent connections=21,
message repeated 20 times, c=10.100.12.19

Check out http://opensource.adnovum.ch/mod_qos/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

how to detect DDoS attack through HTTP response analysis(throuput) 김무성 (Jun 27)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) Dobbins, Roland (Jun 27)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) Kai (Jun 27)
  - Re: how to detect DDoS attack through HTTP response analysis(throuput) nix (Jun 28)
    - Re: how to detect DDoS attack through HTTP response analysis(throuput) Emanuel dos Reis Rodrigues (Jun 28)
- Re: how to detect DDoS attack through HTTP response analysis(throuput) coderman (Jun 29)
  - Re: how to detect DDoS attack through HTTP response analysis(throuput) Ferenc Kovacs (Jun 29)
  - Re: how to detect DDoS attack through HTTP response analysis(throuput) 김무성 (Jun 30)
    - Re: how to detect DDoS attack through HTTP response analysis(throuput) coderman (Jun 30)