Re: [Hampshire] DDoS survival strategies

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M.M\Damian L Brasher at <-
M\MMFreaky Clown at ->
Author: Damian L Brasher
Date:  
To: hampshire
Subject: Re: [Hampshire] DDoS survival strategies

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x57523100.hantslug.org.uk.11154': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Mon Sep 5 18:39:52 2011 BST
gpg: using RSA key E5B6AC918A7E551C
gpg: Can't check signature: No public key
On Mon, 2011-09-05 at 16:58 +0100, James Bensley wrote:
> Hi Damian,
>
> I like your script for pulling out IPs and counting their entries,
> works just fine on my dev machine, but I don't see how it could be
> practically used. Looking at the number of times alone one IP has
> accesses your site is not a good measurement of being DDoS'ed. It just
> means someone loves your site.

True, designed as a tool for checking for signs. The actual figures are
subjective.

> I guess it would be obvious if you have say 1000 hits a day total
> aggregate on average, and you see one single IP access your site
> 10,000 in the last ten minutes. Before that can happen though you need
> to add some date functionality in there otherwise the data is
> meaningless; you have nothing to reference it against, presumably it
> needs to be at least 'hits per IP over X time period'.

Sames as above really. Your suggestions will be worth thinking about
incorporating though.

> Also, I think if your script passed those IPs to iptables as rules
> that would be awesome! In fact now that I think about it, maybe you
> could just do this all in IP tables without a script?
>
> /sbin/iptables -N HTTPHITS
> /sbin/iptables -A HTTPHITS -p tcp -m state --state NEW -m tcp --dport
> 80 -m recent --set --name HTTP --rsource
> /sbin/iptables -A HTTPHITS -p tcp -m state --state NEW -m tcp --dport
> 80 -m recent --update --seconds 180 --hitcount 1000 --name HTTP
> --rsource -j DROP
>
> So these rules will essentials drop traffic from an IP that has
> already made 1000 requests to your server within the last 3 minutes,
> something like that perhaps? Like your script though, just going on
> numbers of hits is a dangerous method.

Not sure about dangerous, but some thought needs to go into interpreting
the output. The script is just a quick measuring stick:)

Best
Damian

--
Interlinux Engineering Foundation http://www.interlinux.org.uk

Central, non-trading, administration, governance and dissemination of
foundation intellectual property and know-how.

GPG 8A7E551C
This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] DDoS survival strategiesRe: [Hampshire] DDoS survival strategies->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)