[Wolves] DDoS Protection Software Review

[Andy Jewell]

> I thought the first D in DDOS was for distributed, as in multiple
> machines, making these types of attack seem like high volume hits from
> mulitple locations.
> 
> What is needed is something that not blocks on count of connections from
> a source, but that checks the period of intervals that arrise between
> connections of that source, that would determine if machine bahavour was
> happening or human. However this assumes that the connections within
> connecting software are not randomly timed.
> 
> --
> Regards,
> Roundyz

Yes, I know the name is slightly misleading. It *will* deal with multiple simultaneous attacks, so the Distributed bit is still true, it just won't protect against *massively* simultaneous attacks, where individual attacking nodes don't make large numbers of connections.

The situation we were defending against was, specifically, when ordinary individuals (maybe script kiddies) over-run the site by generating 140 plus requests per second using greasemonkey in firefox, because they think its a lark to get the hit counter up to one million, which is exactly what prompted the customer's request to "do something about it". DDoS-Deflate will deal with this. The customer has been advised that it won't guard against the above scenario.

Cross-referencing the bans with the apache logs shows that a fair number of the triggers are the result of scripts spidering the site, probably trying to harvest e-mail addresses or looking for personal details; they are badly written, so they draw attention to themselves by opening up too many simultaneous connections. So these now get blocked after a few seconds, where before they probably contributed to bandwidth costs and cpu usage.

To do what you are suggesting would probably need a log-file follower and analyser to detect "odd" access patterns, but filter out legitimate access methods, like 10 tabs in firefox all refreshing at once... 

Andy D'Arcy Jewell
SysMicro Linux Support

T:  +44 (0) 844 991 8804
M: +44 (0) 7961 605631
F:  +44 (0) 844 357 7020
E:  andy.jewell at sysmicro.co.uk
W: www.sysmicro.co.uk

CRN THE CHANNEL AWARDS 2009 WINNER
SysMicro named CRN’s Editor’s Choice for Emerging Business of the Year 2009, recognising SysMicro for our considerable growth, specifically in Enterprise Solutions.
________________________________________