Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 86674 invoked from network); 26 Oct 2004 17:09:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 26 Oct 2004 17:09:22 -0000 Received: (qmail 94172 invoked by uid 500); 26 Oct 2004 17:09:16 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 93950 invoked by uid 500); 26 Oct 2004 17:09:15 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 93936 invoked by uid 99); 26 Oct 2004 17:09:14 -0000 X-ASF-Spam-Status: No, hits=0.8 required=10.0 tests=DNS_FROM_RFC_ABUSE,HTML_20_30,HTML_MESSAGE,MIME_QP_LONG_LINE,NO_REAL_NAME,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of TOKILEY@aol.com designates 205.188.139.137 as permitted sender) Received: from [205.188.139.137] (HELO imo-d23.mx.aol.com) (205.188.139.137) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 26 Oct 2004 10:09:14 -0700 Received: from TOKILEY@aol.com by imo-d23.mx.aol.com (mail_out_v37_r3.8.) id e.9d.51034f88 (3850); Tue, 26 Oct 2004 13:08:55 -0400 (EDT) From: TOKILEY@aol.com Message-ID: <9d.51034f88.2eafdea7@aol.com> Date: Tue, 26 Oct 2004 13:08:55 EDT Subject: Re: cvs commit: httpd-2.0/server protocol.c To: dev@httpd.apache.org CC: TOKILEY@aol.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="part1_9d.51034f88.2eafdea7_boundary" X-Mailer: 7.0 for Windows sub 10708 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N --part1_9d.51034f88.2eafdea7_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit >> You MUST have SOMETHING that knows the difference >> or you don't have DOS protection. >> >> Also... if you wait all the way until you have a 'log' entry for >> a DOS in progress then you haven't achieved the goal >> of sensing them 'at the front door'. > > I don't set myself that goal. I agree that it's the best place > to detect a DoS but it's often not possible for various reasons. > With that option not available I prefer to be able to detect > DoS attacks anywhere I can. Roger that. >> What I was suggesting is some kind of 'connection' based >> filter that has all the well-known DOS attack scheme >> algorithms in place and can 'sense' when they are happening >> before the Server gets overloaded. > > That does not need to be in web server at all. It can > work from within the kernel, or be a part of a network > gateway. Double Roger That Yours... Kevin Kiley --part1_9d.51034f88.2eafdea7_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable
>> You MUST have SOMETHING that knows the difference
>> or you don't have DOS protection.
>>
>> Also... if you wait all the way until you have a 'log' entry for >> a DOS in progress then you haven't achieved the goal
>> of sensing them 'at the front door'.
>
>  I don't set myself that goal. I agree that it's the best place >  to detect a DoS but it's often not possible for various reasons.<= BR> >  With that option not available I prefer to be able to detect
>  DoS attacks anywhere I can.

Roger that.

>> What I was suggesting is some kind of 'connection' based
>> filter that has all the well-known DOS attack scheme
>> algorithms in place and can 'sense' when they are happening
>> before the Server gets overloaded.
>
>  That does not need to be in web server at all. It can
>  work from within the kernel, or be a part of a network
>  gateway.

Double Roger That

Yours...
Kevin Kiley

 --part1_9d.51034f88.2eafdea7_boundary--