Slowloris is a little complicated to mitigate, because it simulate a
real conection. I've used some rules on iptables based on packet
count/seconds if the access activate the rule it will be about 5 seconds
blocked....
But first you need to have some ideia about the real traffic and users
access from proxy.
Blocking this attack using -j reject isnt a good solve, because you use
some bandwidth generating the bad response, -j drop works fine.
On Tue, 2010-10-26 at 09:09 +0100, Ryan Dewhurst wrote:
> Maybe they are using slowloris?
>
> http://ha.ckers.org/slowloris/
>
> Ryan Dewhurst
>
> My blog: http://www.ethicalhack3r.co.uk
> My project: http://www.dvwa.co.uk
> My Twitter: http://www.twitter.com/ethicalhack3r
>
>
>
> On 26 October 2010 02:51, Adrian J Milanoski <amilanoski (at) gmail (dot) com [email concealed]> wrote:
> > Check out sshbalck.
> >
> > I know it's for ssh BUT changing the log file for it look at and the strings
> > it's looking for makes it a very effective little perl script.
> >
> >
> > Thanks,
> > Adrian
> > _________________
> > Sent from my iPhone
> >
> > On 2010-10-21, at 11:40 AM, Kai Witzke <security (at) gaark (dot) de [email concealed]> wrote:
> >
> >> Hey everybody!
> >>
> >> I have some serious problems with flooding attacks to my apache2. No
> >> problems with logins oder syn floods, just a huge amount of simple
> >> requests to my server from the same ip. Anyone got a nice howto on that
> >> or maybe a nice regex prepared for counting such requests and blocking
> >> the greedy ones?
> >>
> >> thanks in advance
> >> Kai
> >>
> >>
> >>
> >>
> >> This list is sponsored by Cenzic
> >> --------------------------------------
> >> Let Us Hack You. Before Hackers Do!
> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> >> Request Yours Now!
> >> http://www.cenzic.com/2009HClaunch_Securityfocus
> >> --------------------------------------
> >>
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------
> >
> >
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
real conection. I've used some rules on iptables based on packet
count/seconds if the access activate the rule it will be about 5 seconds
blocked....
But first you need to have some ideia about the real traffic and users
access from proxy.
Blocking this attack using -j reject isnt a good solve, because you use
some bandwidth generating the bad response, -j drop works fine.
On Tue, 2010-10-26 at 09:09 +0100, Ryan Dewhurst wrote:
> Maybe they are using slowloris?
>
> http://ha.ckers.org/slowloris/
>
> Ryan Dewhurst
>
> My blog: http://www.ethicalhack3r.co.uk
> My project: http://www.dvwa.co.uk
> My Twitter: http://www.twitter.com/ethicalhack3r
>
>
>
> On 26 October 2010 02:51, Adrian J Milanoski <amilanoski (at) gmail (dot) com [email concealed]> wrote:
> > Check out sshbalck.
> >
> > I know it's for ssh BUT changing the log file for it look at and the strings
> > it's looking for makes it a very effective little perl script.
> >
> >
> > Thanks,
> > Adrian
> > _________________
> > Sent from my iPhone
> >
> > On 2010-10-21, at 11:40 AM, Kai Witzke <security (at) gaark (dot) de [email concealed]> wrote:
> >
> >> Hey everybody!
> >>
> >> I have some serious problems with flooding attacks to my apache2. No
> >> problems with logins oder syn floods, just a huge amount of simple
> >> requests to my server from the same ip. Anyone got a nice howto on that
> >> or maybe a nice regex prepared for counting such requests and blocking
> >> the greedy ones?
> >>
> >> thanks in advance
> >> Kai
> >>
> >>
> >>
> >>
> >> This list is sponsored by Cenzic
> >> --------------------------------------
> >> Let Us Hack You. Before Hackers Do!
> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> >> Request Yours Now!
> >> http://www.cenzic.com/2009HClaunch_Securityfocus
> >> --------------------------------------
> >>
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------
> >
> >
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]