httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Testuser <toximoron...@yahoo.co.uk>
Subject Re: [users@httpd] How to prevent from simple DoS?
Date Fri, 23 Nov 2007 09:48:32 GMT

> Joshua Slive <joshua@slive.ca> wrote:
> Ok. I see the issue better now.
> 
> But what really is the point in trying to eliminate the client who
> dribbles out data in order to get around the TimeOut? If you are
> performing a DDoS, you can easily behave just like an ordinary client
> (requesting real files), and thereby be almost undetectable. Why
> bother playing silly timeout tricks?

This is only a variant of resource exhaustion. Slashdot effect
is certainly devastating. But while the latter is well
known, this one is mostly obscure. Attackers build silly TCP packets
to hose servers, I am sure they also use silly timeout
tricks if it does the job they want.

This attack has many special traits. One of the more annoying ones is 
sudden and total death. Your server can go from snappy response to
100% blocked in a mere second. If you still manage to access the status
page (I have not managed to do this, though), it would tell you 
the following in most attack variants:

Srv PID   Acc   M  CPU  SS Req Conn Child Slot Client VHost Request
1-0 16053 0/0/0 R  0.00 13 0   0.0  0.00  0.00 ?      ?     ..reading..

You do not even see the attacking IP. It's all very silent and your 
logfile will be empty apart from an informative "server seems busy". 
In fact it is not busy. It is idle (polling). But blocked.




       
---------------------------------
 For ideas on reducing your carbon footprint visit Yahoo! For Good this month.
Mime
View raw message