I assume you are doing this as well, but you need to drop "bad" connections
as quickly as possible. Any aberrant behavior should be logged and stopped
fast. In your case, you could detect a protocol error due to the bad data
and drop them. Then keep a running tab of their IP in memory, the number of
protocol errors they have caused and when they caused them. Then with a bit
of a sliding-window-style algorithm you can determine if they are causing
too many errors too frequently and add them to the blacklist filter
automatically. Once the window has slid past their errors, you can even
remove them from the blacklist filter automatically. If done properly, you
can stop hackers in their tracks without lifting a finger. This model is
used in some "healing" firewalls IIRC.
Once you start blocking these attacks, your hackers will get smarter
(maybe). Another DoS attack to watch for then is where they use your
protocol correctly but fire off too many connections. The
ConnectionThrottleFilter is good for this. You can also get burned when they
use your protocol correctly but send messages that are too big. For
instance, if you have a "payload" area in your protocol, make certain they
can't just keep sending data in that payload. You need to have a cap
somewhere. I worked on a project years ago where this occurred, a bug in the
system allowed an unlimited sized payload but still tried to manage it in
memory. Large payloads would OOM the server every time. Nasty bug that can
be very hard to track down if a hacker is doing it. Every time you reboot,
they can simply OOM you again.
Good luck!
Mike
----- Original Message -----
From: "Mark" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, October 22, 2007 9:11 AM
Subject: Re: DoS attack to a MINA server
There are a couple of filters that will help out with this. Not sure
what version you are using, but the trunk has a BlacklistFilter and a
ConnectionThrottleFilter.
Sounds like ConnectionThrottleFilter would work best for you.
If you are using a version < 2.0, then you could 'port' the
ConnectionThrottleFilter for you.
On 10/22/07, stork <[EMAIL PROTECTED]> wrote:
Hi, I'm running a game server using the MINA framework, and unfortunately
it's being subject to a lot of DoS attacks. It's a very simple attack -
the
game port is opened, and random data is written, and eventually all the
sockets fill up and the server can receive no more connections.
What can I do about this?
--
View this message in context:
http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
Sent from the Apache MINA Support Forum mailing list archive at
Nabble.com.
--
--------------------------------
The adjuration to be "normal" seems shockingly repellent to me; I see
neither hope nor comfort in sinking to that low level. I think it is
ignorance that makes people think of abnormality only with horror and
allows them to remain undismayed at the proximity of "normal" to
average and mediocre. For surely anyone who achieves anything is,
essentially, abnormal.
Dr. Karl Menninger
