Results 1 to 9 of 9
  1. #1

    Question "Keep-Dead" DoS Attack

    I thought I had my DoS/DDoS protection pretty much sorted with some well customised Apache options and http-guardian but then my friend uses this new 'Keep-Dead' tool as a prank against my server and managed to crash it within a couple of minutes.

    Anyone got any ideas how I can protect against this? The problem is that even when I compare the traffic coming in from the attack against real traffic, they both look the same. The attack looks just like any of my other visitors who load up a component heavy page.

    The only thing I can find about the tool is on http://www.esrun.co.uk/blog/keep-alive-dos-script/ but it doesn't give any hints to protecting against it.

  2. #2
    Join Date
    May 2009
    Location
    Italy - Rome
    Posts
    149
    A DoS can be stop just limiting the number of connections and request for each IP.

    Install mod_qos on your Apache and limit 25 connection for each IP and you will no be affect for this tool for DoS.

  3. #3
    Quote Originally Posted by raffo View Post
    A DoS can be stop just limiting the number of connections and request for each IP.

    Install mod_qos on your Apache and limit 25 connection for each IP and you will no be affect for this tool for DoS.
    Mmm I think you might have misread the info about this attack. It uses only 1 connection at a time. It abuses the Keep-Alive functionality of HTTP/1.1.

  4. #4
    Join Date
    May 2009
    Location
    Italy - Rome
    Posts
    149
    If you want to contact me on PM i will shoa my private domain that are not affect of this attack.

    You just bypass tha attack using limits and cache.

  5. #5
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    934
    options are:
    1) turn off KeepAlive
    2) use Varnish for anon requests

    There's also this if you're running fail2ban

    http://bogdan.org.ua/2010/11/06/blat...d-attacks.html

  6. #6
    Raffo, thanks for the offer but I'd prefer if we could keep this in the thread, in order to help anyone else suffering the same problem. As for limits and cache, the script appears to have randomisation built in, in order to ensure the server can't benefit from any cashing. Any limits I apply would also restrict genuine users - I don't like the sound of this.


    tchen thanks for the advice. Turning off Keep-Alive isn't really an option for a modern server. It would severely degrade the browsing experience of my users. As for Varnish, I'm not really sure how this could help in this situation. Would you mind expanding on that?

    Cheers

  7. #7
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    934
    If you're okay with the anon pages being cacheable, Varnish will alleviate the Apache/DB access that the HEAD request is otherwise targeting. Even if you set a cache duration of say 30 seconds, this DOS is effectively neutered.

    I think the fail2ban rule might be promising if you don't want to go that far. The caveat though is things like Googlebot and Feedburner might be using just HEAD to check pages/feeds so I'd watch those closely or put them as exclusions.

  8. #8
    Quote Originally Posted by tchen View Post
    If you're okay with the anon pages being cacheable, Varnish will alleviate the Apache/DB access that the HEAD request is otherwise targeting. Even if you set a cache duration of say 30 seconds, this DOS is effectively neutered.

    I think the fail2ban rule might be promising if you don't want to go that far. The caveat though is things like Googlebot and Feedburner might be using just HEAD to check pages/feeds so I'd watch those closely or put them as exclusions.
    Is this method effective against the randomised requests that the script makes? Every request is unique (specifically it's targeting the search form and login forms) so I don't think a cache would be effective.

    I'll also look into fail2ban but if you could comment on the above, I'd appreciate.

    Cheers

  9. #9
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    934
    Ah, unique requests will get through Varnish. Good one.

    Looking quickly at the fail2ban rule, I think that would catch it though. Its currently setup to be url agnostic and only bans based on the number of HEAD requests per second. He's got it setup a lot tighter than I would have, but it sounds like it works too.

Similar Threads

  1. Gogax "live" support wanted dead or alive,
    By machiavelli in forum Web Hosting
    Replies: 10
    Last Post: 03-10-2011, 12:43 PM
  2. Problem running (D)DoS Deflate - "Command not founds.conf" - CentOS Server
    By gamepro127 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-05-2010, 08:24 PM
  3. How efficient are topic titles like "BLOWOUT", "SPECIAL" and "KILLER OFFER"?
    By BluewaveHosted in forum Running a Web Hosting Business
    Replies: 18
    Last Post: 06-30-2009, 11:21 AM
  4. Plesk: "crond dead but pid file exists"
    By zoli in forum Hosting Security and Technology
    Replies: 2
    Last Post: 09-16-2004, 11:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •