Hello Willi,
i am using 1.4.1.
Set up new rule with tarpit....
Rate decreased below 40/secs.
regards
Bernhard
----- Nachricht von [email protected] ---------
Datum: Tue, 16 Mar 2010 10:44:24 +0100
Von: Willy Tarreau <[email protected]>
Antwort an: Willy Tarreau <[email protected]>
Betreff: Re: Dos-Attack / Drop Connections
An: Bernhard Krieger <[email protected]>
Cc: [email protected]
On Tue, Mar 16, 2010 at 10:32:40AM +0100, Bernhard Krieger wrote:
Hello Willi,
thanks for reply.
If i change the rule to block the requests, the Session rate grow up
to 1000/secs.
If i use the redirection option ( to http://127.0.0.1 ), it decreases
to 500/secs.
It means that the attacker immediately retries. Then use a tarpit, it
will slow it down a lot. On what version are your running ? With 1.4
you can condition the tarpit with an ACL :
timeout tarpit 1m
reqtarpit . if ! { hdr_reg(user-agent) . }
On 1.3 it will be a bit more complicated, you'll have to branch to a
specific backend for the tarpit :
frontend ...
acl ua-ok hdr_reg(user-agent) .
use_backend bk_tarpit if !ua-ok
backend bk_tarpit
timeout tarpit 1m
reqtarpit .
The DOS-Attack iteself is very strange, it attacks my old clanpage
which has not more than 10 requests per month ... a very high visited
page ;)
The attack produces only traffic... he will never reach the final goal :)
Well, never underestimate a DoS attack. There is often a first phase of
identification of the target. You should also avoid publicly discussing
the reasons why you think it will not succeed and the workarounds you
are setting up ! If the guy really wants to take you down, he just has
to read the list's archives to update his attack vector.
Regards,
Willy
----- Ende der Nachricht von [email protected] -----
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
