Author Topic: Anti DDOS measures very important line of defense...  (Read 4898 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33641
  • malware fighter
Anti DDOS measures very important line of defense...
« on: May 23, 2013, 02:25:20 PM »
Not easy, but iptables and tarpits can come to the rescue because worms work in specific top layer, the software layer and the weak side of the worm is the o.s. level, read: http://www.nbs-system.com/blog/ddos_counter_measures.html (link article philip)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33641
  • malware fighter
Re: Anti DDOS measures very important line of defense...
« Reply #1 on: May 23, 2013, 11:45:39 PM »
There are a combination of measures that can be taken, IDS like specific snort IDS rules like
http://code.google.com/p/hackfest/source/browse/snort/rules/ddos.rules?repo=realtime&r=41b25fc2e260379104c3bd16cfd67dfd0d1a8486&spec=svn.realtime.41b25fc2e260379104c3bd16cfd67dfd0d1a8486  link author = michael
Interesting analysis of tool and the according snort sigs: http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html
article submitted By Rodrigo Montoro

This in combination with mod_evasive-module for instance...http://www.helicontech.com/articles/prevent-dos-attacks-with-helicon-ape-mod_evasive-module/
There are five directives to be configured to protect against DoS from Blacklisted IPs.

   1. DOSPageInterval : Sets the minimum accessible interval between two requests to a page from the same IP.
   2. DOSSiteInterval : Sets a minimum accessible interval between two requests to a site from the same IP.
   3. DOSPageCount : Sets the limit for a number of too short requests to the same page
   4. DOSSiteCount : Sets the limit for a number of too short requests to the same site.
   5. DOSBlockingPeriod: How much time bad IP should be blocked.

polonus
« Last Edit: May 24, 2013, 12:57:22 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
Re: Anti DDOS measures very important line of defense...
« Reply #2 on: May 28, 2013, 03:17:19 AM »
http://www.apache.org/;)

A DDOS,  or 'Distributed Denial-Of-Service attack', is basically similar to when a site gets flooded by too many users, using the server's bandwidth to the Max causing a freeze.

Often used by large collections of single user Computers which have been compromised, formed into a 'Bot', or 'BotNet'.
The simplest evasive tactic I've come across is to have a backup cloned server with a different IP Address which immediately restores the site, leaving experts to backtrack the DDOS attack with time to process incoming data, on the attacked server.

A Malware teaching website, http://www.malwareremoval.com,  explained this tactic in avoiding DDOS attacks while getting on with their business.