On Fri, 10 Jun 2016 22:22:31 -0700, subashini hariharan said: > The aim is to detect DoS/DDoS attacks using the application. I am going to > use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log > Analytics).
Bad approach. At that point, not only is the application being DDoS'ed, but now your logging system may be overwhelmed as well. And a favorite attack method is to throw a DDoS at one application (your http server, for instance), and while you're drowning in logfiles, slip in an exploit for something else (you *did* patch that tftpd server, right?) Also, the vast majority of DDoS attempts are just fill-the-pipe attacks, which often don't even bother attacking an application, just an IP address. This leverages the fact that there's a lot of routers that can switch average sized packets at line speed, but not minimum sized packets. So the link falls over faster if it's getting pounded with ICMP Echo Request packets or TCP SYN packets than if it's getting 800-byte http requests.
pgpIb99y18XMF.pgp
Description: PGP signature
