>> You MUST have SOMETHING that knows the difference
>> or you don't have DOS protection.
>>
>> Also... if you wait all the way until you have a 'log' entry for
>> a DOS in progress then you haven't achieved the goal
>> of sensing them 'at the front door'.
>
> I don't set myself that goal. I agree that it's the best place
> to detect a DoS but it's often not possible for various reasons.
> With that option not available I prefer to be able to detect
> DoS attacks anywhere I can.
Roger that.
>> What I was suggesting is some kind of 'connection' based
>> filter that has all the well-known DOS attack scheme
>> algorithms in place and can 'sense' when they are happening
>> before the Server gets overloaded.
>
> That does not need to be in web server at all. It can
> work from within the kernel, or be a part of a network
> gateway.
Double Roger That
Yours...
Kevin Kiley
