Results 26 to 35 of 35
Thread: HTTP "GET" FLOOD Prevention?
-
12-20-2006, 01:38 AM #26Web Hosting Master
- Join Date
- Aug 2005
- Location
- Canada
- Posts
- 862
Originally Posted by jwr
Now, maybe at awknet, you do provide the protection to this kind of attack at fireawall, and users don't have to do it by themselves.
(Is it the case?)
But people who use ordinary DC or DC with less protection may need to use it.
As layer0 stated, it seems to work well with some machines, but not very well on less powerfull machines.
So, I was wondering if it's beneficial to improve DDOS-deflate.
I think the question was relatively easy to understand and to answer for a competent person.
And I am hoping to see both your (awknet, sharktech, and others) competency/helpfullness and also if it's worth spending some hours on it.
I think everyone can gain by this.
You can show/prove your competence/helpfullness, users may gain more knowledge.
And if we decide to improve DDOS-Deflate, it may help many people, too.
-
12-20-2006, 06:04 AM #27roflcopter
- Join Date
- Feb 2004
- Location
- here and there
- Posts
- 767
Originally Posted by extras
What you need to focus on in these types of situations is the HTTP server itself.Dedicated Servers, Virtual Machines, Colocation, BGP & IPs
objx.net - AS33333 - Salt Lake, Utah
awknet.com - AS17048 - Los Angeles, California
-
12-20-2006, 12:56 PM #28CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
You can optimize your server software all day long and gain a performance boost of roughly 10,000 PPS in DDoS filtering of GET requests.
Anything more (and many folks are seeing a LOT more) will require a network based solution specifically designed for such attacks. Most DDoS protection services do not meet this criteria.
-
12-20-2006, 02:59 PM #29Aspiring Evangelist
- Join Date
- Mar 2006
- Location
- New York USA
- Posts
- 404
Use APF, Mod_Security Mod_Evasive, and a good apache config, and most attacks should be filtered and or dropped, as well as ip's banned.
-
12-22-2006, 03:45 AM #30Web Hosting Master
- Join Date
- Aug 2005
- Location
- Canada
- Posts
- 862
Thank you for the opinion.
Originally Posted by jwr
In the pipe, it's using awk, and perl can be faster, for example.
Also, the entire pipe chain can be replaced by single perl script.
In the loop, it's using a few backquotes that can be replaced by simple pure shellscript code.
And there are some other possible ways to improve it, including rewriting it in C/C++/Ocaml or taking the source code of netstat and modifying it.
As the logic behind the DDOS-deflate is simple, it can be implemented in many ways.
So, there are many ways to improve it with different amount of effort required.
That's why I was wondering what to do with it, as I didn't want to put lots of hours if the improvement is minimal.
And it (if it's really worth, and which method should we use) depends on the number of IPs netstat -ntu would be producing and maybe a few other factors, most probably.
If the out put from netstat is small, the effect of improvement will be pretty small.
Still, on a low end machine with higher load average situation, making it lighter MAY improve the rsponsiveness and thus contributing for quicker IP ban.
Other than that, if it's lighter, we can let it run more often.
Currently, the minimum interval is 1 minute because it using cron.
By using "watch" or sinply making it a background job and let it "sleep" whatever the seconds, it may be able to catch the bad IP before it can affect the performance of the machine.
What you need to focus on in these types of situations is the HTTP server itself.
Using different web server and it can serve/resist better, probably.
But there are people stuck with slow/heavy PHP apps and they don't have time nor knowledge to do these.
So, I thougt providing them with a drop in replacement for DDOS-deflate, might be the easiest way to help at least some of them.
Maybe it's better to test running current DDOS-deflate, more frequently, to see if it helps, first.
-
12-22-2006, 03:55 AM #31Web Hosting Master
- Join Date
- Aug 2005
- Location
- Canada
- Posts
- 862
Originally Posted by IRCCo Jeff
For those who getting huge DDOS or any other attacks, small improvement wouldn't do any good.
Personally, I would like to see the other way of fighting DDOS/attacks.
ISP and hosts should be doing more about those hijacked machines/accounts.
And low enforcements should be doing more.
MS should be donating zillions of dollars they made by selling insecure softwares.
And each users should be doing more to keep the health of their machines/accounts.
I'm not so optimistic about the situation, though ...
-
12-22-2006, 05:37 AM #32Web Hosting Master
- Join Date
- Aug 2000
- Location
- Sheffield, South Yorks
- Posts
- 3,627
Originally Posted by extrasKarl Austin :: KDAWS.com
The Agency Hosting Specialist :: 0800 5429 764
Partner with us and free-up more time for income generating tasks
-
12-22-2006, 06:11 AM #33Web Hosting Master
- Join Date
- Aug 2005
- Location
- Canada
- Posts
- 862
They sold Windows as a secure software while leaving html mail with javascript/activeX on by default, for example.
CD/DVD autoplay is still On by default, I think.
It's different fromt "a bug".
-
12-22-2006, 06:15 AM #34Web Hosting Master
- Join Date
- Aug 2000
- Location
- Sheffield, South Yorks
- Posts
- 3,627
I don't recall MS ever describing any of their software as secure, I think the phrase was "more secure" as in more secure than previous versions, but never sold as secure.
Karl Austin :: KDAWS.com
The Agency Hosting Specialist :: 0800 5429 764
Partner with us and free-up more time for income generating tasks
-
12-23-2006, 01:09 PM #35CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
Originally Posted by extras