On Apr 26, 5:03 am, Haron Media <[email protected]> wrote: > Also, it was not necessarily distributed since the nature of attack > could allow single machine used to attack. What do your logs say, how > many IPs were involved?
Directly involved from slowloris, 2241 based on firewall counters. Total DDOS had 77861 originating IPs. While this isn't the first time I've seen slowloris from multiple machines, it is the first time I've seen it from very geographically diverse machines. While we did have clumps of machines involved, the breadth of machines involved was surprising. Varnish or Squid in front of the origin would have prevented the attack from getting to the Origin. My preference would have been Varnish since I can write VCL to filter out other requests. A layer 7 load balancer could also be used, but, again required changes to the backend. We ended up deploying Nginx in this case. My intended, but poorly communicated intent, was to explain that fail2ban is not a panacea to DDOS attacks. Since apache doesn't log the request early enough in the request processing, fail2ban will sit there 'failing 2 ban' the attackers. I think fail2ban must have some affiliate program based on the fact that every time anything regarding security is mentioned, half a dozen people suggest it. :) -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
