Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-29 Thread Ferenc Kovacs
2011/6/29 coderman coder...@gmail.com: 2011/6/26 김무성 ki...@infosec.co.kr: ... I'm looking for meterials or information, research about that how to detect DDoS attack through HTTP response analysis(throuput). you're asking the wrong question. instead of asking How can I automagically detect

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-29 Thread 김무성
: Wednesday, June 29, 2011 12:30 PM To: 김무성 Cc: full-disclosure@lists.grok.org.uk; pen-t...@securityfocus.com Subject: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput) 2011/6/26 김무성 ki...@infosec.co.kr: ... I'm looking for meterials or information, research about

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-29 Thread coderman
2011/6/29 김무성 ki...@infosec.co.kr: You don't understand my question. I'm studying and researching about solution of DDoS detection through analysis of HTTP responses... i implied that this is less than useful on actual systems than in theory / lab. if you want to gather useful details you

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-28 Thread nix
Hi, its kinda sstupid/s incorrect way of detecting ddos by reading http responce. if server says error 408, it could be just a script which takes long to complete. if there is some caching server, e.g. nginx, before actual web server, e.g. apache httpd, then error 502 could be a

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-28 Thread Emanuel dos Reis Rodrigues
Hello folks, The modsecurity have a better result than mod_qos to slowloris attack, mod_qos trend to increase the false positives because of NAT and slow users. If you test the R-U-D-Y, you see that, modsecurity too protect against them. See:

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-28 Thread coderman
2011/6/26 김무성 ki...@infosec.co.kr: ... I'm looking for meterials or information, research about that how to detect DDoS attack through HTTP response analysis(throuput). you're asking the wrong question. instead of asking How can I automagically detect exploitation of my shitty app via HTTP

[Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-26 Thread 김무성
Hello list, I'm looking for meterials or information, research about that how to detect DDoS attack through HTTP response analysis(throuput). for example, if there are many 408 request timeout responses, we can think this is slowloris or RUDY DDoS attack.

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-26 Thread Dobbins, Roland
On Jun 27, 2011, at 9:30 AM, 김무성 wrote: if there are many 408 request timeout responses, we can think this is slowloris or RUDY DDoS attack. Many things can cause this - not just DDoS. In fact, I've rarely seen a DDoS resulting in these responses, because in an effective DDoS, one often

Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)

2011-06-26 Thread Kai
Hi, its kinda sstupid/s incorrect way of detecting ddos by reading http responce. if server says error 408, it could be just a script which takes long to complete. if there is some caching server, e.g. nginx, before actual web server, e.g. apache httpd, then error 502 could be a result