[mod-security-users] DDOS on the appl level, timeouts and blacklisting
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] DDOS on the appl level, timeouts and blacklisting
|
From: Christian F. <chr...@ti...> - 2006-08-21 19:04:22
|
Hi there, There have been a couple of meetings regarding ddos threats against our ssl sites. So far no attack occurred, but we trying to be prepared. It seems simple to initiate a valid connection with one of our reverse proxies and then do basically nothing until the timeout occurs. It's 300 seconds by default. Let's say we swallow a couple of thousands of these connections, but we are no challenge for one of the bigger botnets out there. The network guys are constantly building up their defense lines against ddos attacks on the network layers, but our domain OSI layer 7, looks quite undefended in this aspect. We can't seem to find a way to the tell the legitimate from ddos requests. Ideally we would be able to lower the "total amount of time it takes to receive a GET request" (and POST headers without file uploads accordingly) seperately from the rest of the timeouts. But even apache 2.2 knows but a general timeout parameter. If we would be able to tell the bad requests and get their IP address, we could forward them to our front firewall or even the ISP and have their SYNs dropped. I have browsed the mod_security 2.0 reference, but i did not find the silver bullet. So the question is, can mod_security do anything in this regard or do you fellow readers have any other smart ideas? It might be helpful to have a variable in mod_security, that would tell me something about the time it took from the initialisation of the request to the processing in mod_security. Obviously in mod_security, there is TIME_EPOCH, but how to tell when the connection started? However, this idea is built on the premise, that the request arrives in mod_security at last. This means the header has to be sent. How about something like a watchdog timer that activates some special mod_security processing phase for requests, that never make it to Phase 1 - request headers. Even those that do not terminate the the ssl-handshake should be considered. Any thoughts are appreciated, Christian Folini -- The fool doth think he is wise, but the wise man knows himself to be a fool. -- William Shakespeare in As You Like It |
