Welcome Guest, Not a member yet? Register   Sign In
DDOS Attacks
#11

[eluser]BrianDHall[/eluser]
Hm, I believe a modern Cisco firewall and possibly IDS (Intrusion Detection System) are capable of handling these problems when correctly configured. Using all available processes on a server sounds like it should be a lot of connections, so if done from a certain IP or range of IPs they should be able to figure out "Hey, there is no reason for anyone to create so many connections to the same resource...*kill*".

However, if they are using a set of zombie hosts from all sorts of IPs and each is creating a valid request then no, neither a router nor an IDS would likely see it and the attack would succeed - unless either has a rule about connections lasting longer than a set amount of time.

I believe this is a theoretical weakness in PHP itself in how it handles uploads, so I am not aware of anything that can be done from either a script or hardware perspective. I think a PHP script gets invoked until after the upload is already done and held temporarily on the server, so the weakness is already exploited before the script ever gets wind of it.

I would think something in PHP or some intermediate layer would need to be programmed specifically to look for these hanging, or very slow, socket connections and kill them - in effect there should be a max 'wait' time for connection and a minimum upload speed.

EDIT: Actually, I think the firewall or IDS should be able to figure out minimum connection speed or oddly long waiting for connection requests and terminate such connections, thereby freeing the server processes.

For all I know they already do, but we'd need a Cisco nerd to say for sure. That's way out of my depth.
#12

[eluser]TheMHouse.In[/eluser]
hi,
I have been witness to several such attacks. The fastest and easiest way is when you have good equipment such as CISCO. The most rapid cessation of such attacks is a type of limiting traffic in certain areas. As you know, every country has an area and can be restricted directly. Thus drastically reducing the damage. When you notice that everything is okay you can remove the restriction. :coolhmm:

The other way is by using iptables to stop DDos attacks. Itself iptables blocking ip address, but first needs to know whether they are attacked.
With this command we can see all IP addresses and their attendance:
netstat-anp | grep 'tcp \ | udp' | awk '(print $ 5)' | cut-d:-f1 | sort | uniq-c | sort-n

We can also make some changes in / etc / httpd / conf / httpd.conf file for the timeout, keepalive, server spawn
This command will show all connections to port 80:
netstat-n | grep: 80 | wc-l
Install your http://www.gropp.org/?id=projects&sub=bwm-ng "... a small and simple console-based live bandwidth monitor for Linux, BSD, Solaris, Mac OS X, Windows and others."
I hope I helped and I apologize for bad English.
Best regards
m.Aleksandrov :coolsmirk:




Theme © iAndrew 2016 - Forum software by © MyBB