[EMAIL PROTECTED] wrote: > You MUST have SOMETHING that knows the difference > or you don't have DOS protection. > > Also... if you wait all the way until you have a 'log' entry for > a DOS in progress then you haven't achieved the goal > of sensing them 'at the front door'.
I don't set myself that goal. I agree that it's the best place to detect a DoS but it's often not possible for various reasons. With that option not available I prefer to be able to detect DoS attacks anywhere I can. > What I was suggesting is some kind of 'connection' based > filter that has all the well-known DOS attack scheme > algorithms in place and can 'sense' when they are happening > before the Server gets overloaded. That does not need to be in web server at all. It can work from within the kernel, or be a part of a network gateway. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
