>> In the case you just mentioned... it is going to take
>> a special 'filter' to 'sense' that a possible DOS
>> attack is in progress. Just fair amounts of 'dataless'
>> connection requests from one or a small number of orgins
>> doesn't qualify. There are plenty of official
>> algorithms around now to 'sense' most of these
>> brute force attacks and ( only then ) pop you an
>> 'alert' or something.
>>
>> Just relying on a gazillion entries in a log file isn't
>> the right way to 'officially' distinguish a DOS attack
>> from just ( as Roy says ) 'life on the Internet'.
>
> Sure, you may need to have some logic to determine what makes
> an attack and what not, but you must have the log entry to
> begin with so you feed it to the algorithm.
Respectfully disagree.
There is no 'may' about it.
You MUST have SOMETHING that knows the difference
or you don't have DOS protection.
Also... if you wait all the way until you have a 'log' entry for
a DOS in progress then you haven't achieved the goal
of sensing them 'at the front door'.
What I was suggesting is some kind of 'connection' based
filter that has all the well-known DOS attack scheme
algorithms in place and can 'sense' when they are happening
before the Server gets overloaded.
Once the DOS protection kicks in... you don't get any
'log' entries at all... the goal is to prevent the connections
from ever turning into 'requests' that the Server has to
waste time processing.
It's your only chance to survive a real DOS attack.
Yours...
Kevin Kiley
In a message dated 10/26/2004 8:50:11 AM Central Daylight Time, [EMAIL PROTECTED] writes:
> In the case you just mentioned... it is going to take
> a special 'filter' to 'sense' that a possible DOS
> attack is in progress. Just fair amounts of 'dataless'
> connection requests from one or a small number of orgins
> doesn't qualify. There are plenty of official
> algorithms around now to 'sense' most of these
> brute force attacks and ( only then ) pop you an
> 'alert' or something.
>
> Just relying on a gazillion entries in a log file isn't
> the right way to 'officially' distinguish a DOS attack
> from just ( as Roy says ) 'life on the Internet'.
Sure, you may need to have some logic to determine what makes
an attack and what not, but you must have the log entry to
begin with so you feed it to the algorithm.
