On Wed, Nov 21, 2007 at 02:53:11PM -0500, Joshua Slive wrote:
> DDoS is a read herring as far as I'm concerned.
>
> If you have an attacker with a significant DDoS network there is
> NOTHING you can do to stop them. They can simply send junk down the
> line to tie up your network connection. No tool can prevent that.
Now this sounds a bit too fatalistic in my ears.
It's not that you are completely wrong. But there ARE things that you
can do and it does not help it, if you give up immediately. And it is
not what I would like to tell my boss, when things get stiff.
Application level DoS/DDoS is nasty and I think there is little knowledge
to be found. Or if there is know-how, then it is well hidden or I am
stupid. I have cited Mirkovic/Dietrich et. al, Internet DoS before. It's
a 2005 book of about 350 pages and within this book half a page deals
with application level attacks. Most of the rest is about network level
attacks. I might be exaggerating here, but I think my point is basically
valid: There is not enough knowledge on application level DoS/DDoS and
the best defense strategies.
Defending boils down to analysis and locking the attackers out. So you
need to know _that_ you are attacked and _who_ is attacking you. Then
you need to _lock the attackers out_.
Let's start with the simple part: As with many attacks, locking the
attackers out should be done as far from your server as possible. On a
proxy, an IDS/IPS, a firewall, a router or - if you are really important -
on the ISP level, the carrier or where the traffic hits your continent.
Think of blacklists, blackbox routing, tarpit routing, etc. And set up a
desaster plan, where you whitelist your most important clients and lock
out every body else. GeoIP!
This is a lot of work and it might cost a lot of money. The more
determined the attacker, the bigger his means, the more difficult
locking him out will be.
Back to the difficult part: How to know that you are attacked? If you
are flooded with requests, then it's a matter of monitoring your logfiles
and alarming accordingly. But if you are facing the attack pattern,
that stood at the beginning of this thread, then the regular logfiles
will leave you in the dark. You can tell from looking at netstat, but
that is not very elegant. I wish apache would tell me. I wish I could
push a button and apache would tell me when he accepts a connection
and when a change in the lifecycle of a request occurs. Calculate the
difference of accepted connections and finished connections (access
log) over a given period and you know you are being attacked. (mod_forensic
is close to this, but not quite.)
So now you have made up your mind: you are being attacked. But how to
tell friend from foe? Again, you lack the reconnaissance with Apache.
You are blind as to which clients are fast and which ones seem to slow down
the requests. You do not see if an ssl handshake takes longer than it
usually does. There is no way to tell if an attacker slows down a file
upload with trickling TCP packets coming in at the rate of your
timeout, etc.
To tell friend from foe in such a situation takes an awful lot of
information and apache does not give a sysadmin this information. Maybe
the attacker will be stronger in the end. But I would like to sell my
skin at the best price possible. It's better to try and keep up and
running than it is to give up immediately. And assuming that there is
a trend towards application level DoS, then it would be an advantage for
apache if it would help the defender more than competing products. In
my eyes, apache is the most flexible webserver around. Successful defense
has a lot to do with flexibility and reconnaissance. Even for apache,
there is room for improvement in this regard.
No I do not want to sound like I am complaining about apache. The code
is there, it's open and I can go and write the patch/module it takes. But
I know I am a weak coder and there is no lack of projects I am running
in parallel. So I am trying to raise the awareness.
I would be happy to contribute thoughts (there are some more) and
a casual line of code here and there. I would love to enter a long
discussion and many hours in a lab to find out more about the defense
strategies. There are things you can do. Most won't help, but some will
give you an advantage over immediate death.
---------------------------------
For ideas on reducing your carbon footprint visit Yahoo! For Good this month.
