I don't know about configuration of the various IDSes, but I'm sure that with a product that uses event correlation, setting a threshold for maximum number of requests to a domain or URL per time slice would be possible. And if the threshold is reached, you could block further connections from the offending IP.
A server based approach may be cheaper and more worth your while. Here are some references for Apache-based modules which rate limit: http://www.topology.org/src/bwshare/README.html http://modperl.com:9000/book/chapters/ch6.html AFAIK, there are no great solutions to a bandwidth DoS, other than keeping a direct line for your upstream provider's admin handy. - Rob : -----Original Message----- : From: Michael Ungar [mailto:[EMAIL PROTECTED]] : Sent: Tuesday, February 12, 2002 3:51 PM : To: [EMAIL PROTECTED] : Subject: Floodnet Controls : : : As demonstrated with the recent DOS attack on the : World Economic Forum's web site, tools are being made : available which assist users in downloading an applet : to automatically refresh against a target's home page; : thereby making the site unavailable if enough users : have downloaded and are running the applet. : : Question 1 - In this type of attack, I've heard : different opinions as to whether an IDS would or would : not pick up the event since : a - url looks normal : b - three way handshake completes : c - traffic might be under url : : I'm under the assumption the IDS would not catch : 'cause of reasons a - c above. Any views to the : contrary ? : : Question 2 - Any best practices against this risk : other than making sure your site has much and : redundant bandwidth. : : Thanks.....Mike Ungar : : __________________________________________________ : Do You Yahoo!? : Send FREE Valentine eCards with Yahoo! Greetings! : http://greetings.yahoo.com :
