08-26-2010, 06:22 AM
(08-25-2010, 11:16 PM)Omniscient Wrote: Slowloris is more complicated than simple get commands. It opens the HTTP connection but doesn't ever close it. What you describe is simple httpd flood which is easily blocked mostly.Yeah, a few datacenters have Cisco's and other HWFW routers You have to pay loads but i did once and it was worth having the access ^^.
Syn floods are normally easy to stop too if you have a capable sys admin. 99% of attacks I have seen had a pattern that was recognizable enough for me to block them at server level.
UDP/Ping are funny since these are services you can normally just turn off or reroute. You can just do DNS mirrors or round-robin DNS to avoid large botnet attacks. DNS service can easily be moved to a host offering good DDOS protection at a fairly reasonable price too.
Ping flood is a just. Complete waste of everyones time.
Everything can be stopped at router level but the risk of false positives grows. Best to use all 3 protection layers appropriately.
my site mainly gets hit by Get floods on heavier pages. (the occasional slowloris) httpflood i just block with a php script to add "spamming" Ip's to the htaccess block list. Slowloris i haven't figured yet, buy instead of spamming it holding connections i can't find a rule to detect it. Surprised apache haven't done something about it yet.