| Author |
Message |
___jay___
New Member
Joined: Feb 09, 2007
Posts: 19
|
 Posted:
Mon Apr 09, 2007 11:35 am |
|
All this has been done before consulting this site. The problem is, its not very effective when running my tests. With all the settings done, ddos attacks(well mine anyway) blow right through it and the server lags offline. Don’t get me wrong, the attack im doing is massive, that’s why I want this type of attack resolved.
Flood Blocker Settings: Block, &default page
Write to htaccess: on
Ipblock type: 3octets
Flood blocker setting are
PAGE DELAY: 4
FLOOD DELAY: 4
DOS Protection:On
BLOCK PROXIES: Strong Level
I blow right thru this and that bothers me. I have seen this stature of attack blocked before, but their not sharing. |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Apr 09, 2007 12:07 pm |
|
I often get heavily ddos'd and have to take extreme measures to counter the attack(s). In all the searching and reading and studying that I have done over many years along with talking to many other hosts, as I said above, there is no software, anywhere, that can stop those kinds of attack. You can use mod_throttle, mod_security, APF, CFS, iptables, etc., and you can corral some of these. But those are done at the server/kernel level and not at the site level. And, as I said earlier, I can lock your server in a dos with one or two lines of code and only a single connection that within seconds kills your web server. My point is not to brag but to try to put this in perspective. NS, Protector, and even the type products mentioned above won't stop it. In fact, depending on how your server is set up, even on reboot it will go right back into the grave.
Very expensive hardware is available that can mitigate (much better) these heavy attacks but still won't shut them down completely w/o taking the server off line, of course depending on how the attack was written/executed.. And to back trace the culprits requires a coordinated effort of all the router owners along the route.
As Ezekiel stated, sometimes you just have to throw the baby out with the bathwater to achieve what you are after - collateral damage as they say. |
Last edited by Raven on Mon Apr 09, 2007 8:14 pm; edited 1 time in total |
|
|
|
|
___jay___
|
| Posted:
Mon Apr 09, 2007 12:14 pm |
|
I was thinking about a different approach, Is there a way to set up sentinel to ban an ip that, (say for example) clicks a link repeatedly in a short period of time. Such as a hammer attack block would do? The Flood protection dose not seem to be doing this for me. |
| |
|
|
|
|
___jay___
|
| Posted:
Mon Apr 09, 2007 3:52 pm |
|
I have uninstalled Protector set Flood protection to write to .htaccess and set octet to 1 and this seems to be doing what I wanted. Raven was right. I needed more focus on setting NS up correctly thank you sir
 |
| |
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Mon Apr 09, 2007 3:59 pm |
|
I have been working on a different "Flood" blocker for NS. It is rather harsh as some would say. The problem with past flood routines, including the present one, is that we have to mellow them out for the masses that normally don't get dos'ed or hammered. In the one I've been working on it has no mercy, which I personally prefer.
It's no where near ready for any testing just yet as I only have it on a local server and it even blocks it's self at times still  Like I said no mercy.
Onto Jay's question, yes we could set it up like that but there is a major draw back to it. It would slow your site down to a crawl from all the routine calls it would take |
_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! |
|
 
|
|
___jay___
|
| Posted:
Mon Apr 09, 2007 4:02 pm |
|
When its ready keep me in mind for testing and thanks |
| |
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Wed Apr 11, 2007 4:50 pm |
|
Just to add to this topic, Raven is the one person whos advice I would take to heart without question.
Heres some commonly known things about dossing and ddossing:
Problem, all servers or legitimate networking systems must report back on error.
So that means that a server Must report back an error even if banned, that takes some usage, not much but some.
All attacks are designed to skyrocket cpu usage and therfore force an error Or shut down public access.
I have created a dos block that works quite effectively to stop dossing of the server for a legitimate browser that accepts cookies(using sql takes WAY more resources). So theres the problem, illegitimate or program based browsers have no need nor do they take cookies, but to ban just because they dont take cookies is insane, a Lot of users dont take cookies and even if I ban them all, I still will have a SERVER that delivers the error on que.
Solution: Use Sentinel, Make sure you have a GOOD host, so many out there think that uptime is a matter of security, this is simply not true.
Read this for some major insight:
http://www.sans.org/dosstep/roadmap.php.
I hope this shows you how Global the problem really is and that means the solution must be global and people like bob and raven and others work to help prevent these attacks need the support of the users and internet community as a whole. |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
 
  |
|
Raven
|
| Posted:
Wed Apr 11, 2007 5:33 pm |
|
Thanks darklord for the excellent link. What I find really significant and disheartening at the same time is that the article started in 2000. Seven years ago and we still battle this regardless of advancements in technology and knowledge. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
