> Hi, > > its kinda <s>stupid</s> incorrect way of detecting ddos by reading http > responce. > if server says error 408, it could be just a script which takes long to > complete. if there is some caching server, e.g. nginx, before actual web > server, e.g. apache httpd, then error 502 could be a result of any > apache death, not a ddos attack. > but if you still want to monitor sites in such "unusual" way, and if > you have access to web-servers' serverstatus, you'd could parse them to > find out: amount of simultaneous requests; similar requests by IP; > similar requests by Requested Page; etc. > > > > -- > Cheers, > > Kai >
Definitely. One way could be also using mod_qos, it provides protection against slowtoris attack and you can limit amount of allowed simultaneus connections per IP. Here's an example output from log: Slowtoris: [Tue Jun 28 02:30:07 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=154, this connection=0, c=64.132.201.98 Too many conns. per IP [Sun Jun 26 05:13:15 2011] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=15, concurrent connections=21, message repeated 20 times, c=10.100.12.19 Check out http://opensource.adnovum.ch/mod_qos/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/