httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TOKI...@aol.com
Subject Re: cvs commit: httpd-2.0/server protocol.c
Date Tue, 26 Oct 2004 11:59:55 GMT

>> In the case you just mentioned... it is going to take
>> a special 'filter' to 'sense' that a possible DOS 
>> attack is in progress. Just fair amounts of 'dataless'
>> connection requests from one or a small number of orgins
>> doesn't qualify. There are plenty of official
>> algorithms around now to 'sense' most of these
>> brute force attacks and ( only then ) pop you an
>> 'alert' or something.
>> 
>> Just relying on a gazillion entries in a log file isn't
>> the right way to 'officially' distinguish a DOS attack
>> from just ( as Roy says ) 'life on the Internet'.
>
>  Sure, you may need to have some logic to determine what makes
>  an attack and what not, but you must have the log entry to
>  begin with so you feed it to the algorithm.

Respectfully disagree.

There is no 'may' about it.

You MUST have SOMETHING that knows the difference
or you don't have DOS protection.

Also... if you wait all the way until you have a 'log' entry for
a DOS in progress then you haven't achieved the goal
of sensing them 'at the front door'.

What I was suggesting is some kind of 'connection' based
filter that has all the well-known DOS attack scheme
algorithms in place and can 'sense' when they are happening
before the Server gets overloaded.

Once the DOS protection kicks in... you don't get any
'log' entries at all... the goal is to prevent the connections
from ever turning into 'requests' that the Server has to
waste time processing.

It's your only chance to survive a real DOS attack.

Yours...
Kevin Kiley






In a message dated 10/26/2004 8:50:11 AM Central Daylight Time, 
ivanr@webkreator.com writes:


> > In the case you just mentioned... it is going to take
> > a special 'filter' to 'sense' that a possible DOS 
> > attack is in progress. Just fair amounts of 'dataless'
> > connection requests from one or a small number of orgins
> > doesn't qualify. There are plenty of official
> > algorithms around now to 'sense' most of these
> > brute force attacks and ( only then ) pop you an
> > 'alert' or something.
> > 
> > Just relying on a gazillion entries in a log file isn't
> > the right way to 'officially' distinguish a DOS attack
> > from just ( as Roy says ) 'life on the Internet'.
> 
>   Sure, you may need to have some logic to determine what makes
>   an attack and what not, but you must have the log entry to
>   begin with so you feed it to the algorithm.
> 
> 


Mime
View raw message