Regarding DOS violations
After reading the article, http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/02/09/MN23532.DTL I am wondering if FreeBSD should take any action to protect our users. I think it would speak incredibly highly of FreeBSD if Yahoo and other "customers" were to have some kind of protection from such an attack. My initial thoughts are: A web server should know its limitations and not attempt to handle more requests than it can manage. It should invoke a service cutoff of any and all users that cause excessive loading over a measured interval of time. Essentially, the machine would have to track all requests, rank them as to how much effort/resources they require, and then "integrate" this data over a fixed time period. If the overall load is higher than an acceptable threshold, the most offensive clients get "ignored" for a fixed period of time. This will, no doubt, ignore a small number of legitimate users; however, that's far better than not serving anyone. Additionally, the server could log this activity which would make it possible to contact the owners/operators of these most offensive systems. With any luck, this could help them realize that their sites are being hacked into and they could take corrective action to prevent future attacks. If we let them know that FreeBSD identified their problem, it might even be an excellent marketing move for us. Comments Anyone? Regards, Ed To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Regarding DOS violations
I could imagine this causing problems with people that are behind a proxy server or NAT. Since whatever would be collecting the statistics could easily write off these systems as being offensive. I could safely assume that this would prevent access of sites to a few of our customers who have a large number of machines behind NAT. Which of course means they'd call up complaining because all of the sudden their favorite search engine no longer works. You could easily set you limits high enough to allow this kind of traffic, but you would definately miss a script kiddie or two who thinks he has enough bandwidth to get the job done. -- Eric Futch New York Connect.Net, Ltd. [EMAIL PROTECTED] Technical Support Staff http://www.nyct.net (212) 293-2620 "Bringing New York The Internet Access It Deserves" On Wed, 9 Feb 2000, Ed Gold wrote: After reading the article, http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/02/09/MN23532.DTL I am wondering if FreeBSD should take any action to protect our users. I think it would speak incredibly highly of FreeBSD if Yahoo and other "customers" were to have some kind of protection from such an attack. My initial thoughts are: A web server should know its limitations and not attempt to handle more requests than it can manage. It should invoke a service cutoff of any and all users that cause excessive loading over a measured interval of time. Essentially, the machine would have to track all requests, rank them as to how much effort/resources they require, and then "integrate" this data over a fixed time period. If the overall load is higher than an acceptable threshold, the most offensive clients get "ignored" for a fixed period of time. This will, no doubt, ignore a small number of legitimate users; however, that's far better than not serving anyone. Additionally, the server could log this activity which would make it possible to contact the owners/operators of these most offensive systems. With any luck, this could help them realize that their sites are being hacked into and they could take corrective action to prevent future attacks. If we let them know that FreeBSD identified their problem, it might even be an excellent marketing move for us. Comments Anyone? Regards, Ed To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Regarding DOS violations
Hi Ed, Your second point, on the logging is interesting. It would certainly be worth collecting a central repository of IP addresses relating to the machines used to propogate the attacks. The point to remember is that they are victims too, but obviously despite the wide publicity about these activities they have not bothered to take any action to protect themselves therefore hurting everybody else. This problem is becoming too common to allow chances to organisations that even as of yet have taken no corrective action. Perhaps what is really needed is the ability to remove the connection of these servers from the 'net backbone, refusing to reconnect them until they had corrected the problem. But I don't see how that is going to happen. Maybe, rather like ISPs and spammers (or AOL), your logging idea could be used as a first step - given the provided information in a repository, individual organisations could take the option to refuse to accept packets originating from these servers straight away. The owners could /then/ be contacted and informed, to be removed from the list after correcting the problem. If this were a feature, the list would grow quickly enough to at least make the lives of the perpatrators rather more difficult, and the life of the list administrator rather busy. Some tools to automate things as much as possible, and your away, Ed. I don't see why this couldn't be started by, but by no means limited to, FreeBSD users. Then again, perhaps this is too political a move to make? Johnathan Meehan - Original Message - From: Ed Gold [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 10, 2000 1:43 AM Subject: Regarding DOS violations After reading the article, http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/02/09 /MN23532.DTL I am wondering if FreeBSD should take any action to protect our users. I think it would speak incredibly highly of FreeBSD if Yahoo and other "customers" were to have some kind of protection from such an attack. My initial thoughts are: A web server should know its limitations and not attempt to handle more requests than it can manage. It should invoke a service cutoff of any and all users that cause excessive loading over a measured interval of time. Essentially, the machine would have to track all requests, rank them as to how much effort/resources they require, and then "integrate" this data over a fixed time period. If the overall load is higher than an acceptable threshold, the most offensive clients get "ignored" for a fixed period of time. This will, no doubt, ignore a small number of legitimate users; however, that's far better than not serving anyone. Additionally, the server could log this activity which would make it possible to contact the owners/operators of these most offensive systems. With any luck, this could help them realize that their sites are being hacked into and they could take corrective action to prevent future attacks. If we let them know that FreeBSD identified their problem, it might even be an excellent marketing move for us. Comments Anyone? Regards, Ed To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Regarding DOS violations
In the last episode (Feb 09), Ed Gold said: After reading the article, http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/02/09/MN23532.DTL I am wondering if FreeBSD should take any action to protect our users. I think it would speak incredibly highly of FreeBSD if Yahoo and other "customers" were to have some kind of protection from such an attack. My initial thoughts are: A web server should know its limitations and not attempt to handle more requests than it can manage. It should invoke a service cutoff The problem is that for most flood-type DoS attacks, the target machine doesn't see most of the traffic. The idea is to flood the T1/T3/whatever lines, or send enough small packets that the routers are overwhelmed. The smart limiting you describe is good for servers that have relatively few connections that take a lot of CPU each. I'd say that most database-backended servers have a similar problem, and do have per-IP query limits or some other form of restrictions. The best (worst?) example of this I can think of is the all-too-common IIS "HTTP/1.0 Server Too Busy" message. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message