Page 2 of 2 FirstFirst 12
Results 26 to 35 of 35
  1. #26
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    862
    Quote Originally Posted by jwr
    What about it? We personally use a different setup that filters upstream of the customers box. If you want to make ddos-deflate I'm sure nobody is going to stop you.
    Some people are using DDOS-deflate, even with the server hosted with "DDOS protected" providers.

    Now, maybe at awknet, you do provide the protection to this kind of attack at fireawall, and users don't have to do it by themselves.
    (Is it the case?)

    But people who use ordinary DC or DC with less protection may need to use it.

    As layer0 stated, it seems to work well with some machines, but not very well on less powerfull machines.

    So, I was wondering if it's beneficial to improve DDOS-deflate.
    I think the question was relatively easy to understand and to answer for a competent person.
    And I am hoping to see both your (awknet, sharktech, and others) competency/helpfullness and also if it's worth spending some hours on it.

    I think everyone can gain by this.
    You can show/prove your competence/helpfullness, users may gain more knowledge.
    And if we decide to improve DDOS-Deflate, it may help many people, too.

  2. #27
    Join Date
    Feb 2004
    Location
    here and there
    Posts
    767
    Quote Originally Posted by extras
    words
    And how do you plan to improve it for lower end machines? It's just some simple unix scripting running generic network tools. There's not a whole lot you've got left to optimize here.

    What you need to focus on in these types of situations is the HTTP server itself.
    Dedicated Servers, Virtual Machines, Colocation, BGP & IPs
    objx.net - AS33333 - Salt Lake, Utah
    awknet.com - AS17048 - Los Angeles, California

  3. #28
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    You can optimize your server software all day long and gain a performance boost of roughly 10,000 PPS in DDoS filtering of GET requests.

    Anything more (and many folks are seeing a LOT more) will require a network based solution specifically designed for such attacks. Most DDoS protection services do not meet this criteria.

  4. #29
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    404
    Use APF, Mod_Security Mod_Evasive, and a good apache config, and most attacks should be filtered and or dropped, as well as ip's banned.

  5. #30
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    862
    Thank you for the opinion.

    Quote Originally Posted by jwr
    And how do you plan to improve it for lower end machines?
    It's just some simple unix scripting running generic network tools. There's not a whole lot you've got left to optimize here.
    It's a shellscript with rather lengthy pipes.
    In the pipe, it's using awk, and perl can be faster, for example.
    Also, the entire pipe chain can be replaced by single perl script.
    In the loop, it's using a few backquotes that can be replaced by simple pure shellscript code.
    And there are some other possible ways to improve it, including rewriting it in C/C++/Ocaml or taking the source code of netstat and modifying it.
    As the logic behind the DDOS-deflate is simple, it can be implemented in many ways.
    So, there are many ways to improve it with different amount of effort required.
    That's why I was wondering what to do with it, as I didn't want to put lots of hours if the improvement is minimal.


    And it (if it's really worth, and which method should we use) depends on the number of IPs netstat -ntu would be producing and maybe a few other factors, most probably.
    If the out put from netstat is small, the effect of improvement will be pretty small.
    Still, on a low end machine with higher load average situation, making it lighter MAY improve the rsponsiveness and thus contributing for quicker IP ban.

    Other than that, if it's lighter, we can let it run more often.
    Currently, the minimum interval is 1 minute because it using cron.

    By using "watch" or sinply making it a background job and let it "sleep" whatever the seconds, it may be able to catch the bad IP before it can affect the performance of the machine.


    What you need to focus on in these types of situations is the HTTP server itself.
    I agree. I would stop using heavy slow PHP, and the site can be far more resistant.
    Using different web server and it can serve/resist better, probably.

    But there are people stuck with slow/heavy PHP apps and they don't have time nor knowledge to do these.
    So, I thougt providing them with a drop in replacement for DDOS-deflate, might be the easiest way to help at least some of them.


    Maybe it's better to test running current DDOS-deflate, more frequently, to see if it helps, first.

  6. #31
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    862
    Quote Originally Posted by IRCCo Jeff
    You can optimize your server software all day long and gain a performance boost of roughly 10,000 PPS in DDoS filtering of GET requests.

    Anything more (and many folks are seeing a LOT more) will require a network based solution specifically designed for such attacks. Most DDoS protection services do not meet this criteria.
    I was thinking about the small percentage of people who is near the border line.
    For those who getting huge DDOS or any other attacks, small improvement wouldn't do any good.

    Personally, I would like to see the other way of fighting DDOS/attacks.
    ISP and hosts should be doing more about those hijacked machines/accounts.
    And low enforcements should be doing more.
    MS should be donating zillions of dollars they made by selling insecure softwares.
    And each users should be doing more to keep the health of their machines/accounts.

    I'm not so optimistic about the situation, though ...

  7. #32
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,627
    Quote Originally Posted by extras
    MS should be donating zillions of dollars they made by selling insecure softwares.
    Then you'd best tax all software devs then, all software has bugs and insecurities.
    Karl Austin :: KDAWS.com
    The Agency Hosting Specialist :: 0800 5429 764
    Partner with us and free-up more time for income generating tasks

  8. #33
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    862
    They sold Windows as a secure software while leaving html mail with javascript/activeX on by default, for example.

    CD/DVD autoplay is still On by default, I think.

    It's different fromt "a bug".

  9. #34
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,627
    I don't recall MS ever describing any of their software as secure, I think the phrase was "more secure" as in more secure than previous versions, but never sold as secure.
    Karl Austin :: KDAWS.com
    The Agency Hosting Specialist :: 0800 5429 764
    Partner with us and free-up more time for income generating tasks

  10. #35
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    Quote Originally Posted by extras
    I was thinking about the small percentage of people who is near the border line.
    For those who getting huge DDOS or any other attacks, small improvement wouldn't do any good.

    Personally, I would like to see the other way of fighting DDOS/attacks.
    ISP and hosts should be doing more about those hijacked machines/accounts.
    And low enforcements should be doing more.
    MS should be donating zillions of dollars they made by selling insecure softwares.
    And each users should be doing more to keep the health of their machines/accounts.

    I'm not so optimistic about the situation, though ...
    As a member of law enforcement myself, I can tell you that authorities at all levels are doing everything they can to stop DDoS. The problem is with the court system. There are not sufficient penalties to dissuade the packet children.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •