Codes
WiiRd forum
July 16, 2024, 02:43:56 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome on the new server

Update 4.3 - do NOT update!
Gecko 1.9.3.1
Should I get a USB Gecko, I wanna hack?
How do I use my USB Gecko
Where can I get WiiRd?
 
   Home   CODE DATABASE GAMEHACKING Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Downtimes  (Read 1752 times)
Link
that dev there
Moderator
Hero Member
*****

Karma: 76
Posts: 1254

I hate everyone in this community. Except for you!


WWW
« on: November 29, 2010, 08:22:27 AM »

Well, on a positive note: since the move back to the old provider, the downtimes have drastically reduced again. Technically they were even 0 - however, I admit the fact I am having some troubles with server performance right now.. sometimes the server appears offline due to the fact it seems to overload.. logs so far never really suggested a DoS attack. This morning it happened again:

Server not reachable via HTTP.. but replied to pings fine.. so well.. logging in from outside via SSH (SSH has a high nice level so that login is always possible). Well, 5 mintues later i was in - just to see that Apache seemed to have been DoSed.. after an Apache restart it was up and running again. Right now I configured a mod_security setup which should prevent DoS attacks.

Does anyone of you out there have good ideas on additional DoS preventions (and no, mod_evasion is NOT an option, this server is also used by professional photograph who is showing off galleries - evasion technically checks if too many connections come in from one IP and blocks the IP for a certain amount of time.. gallery systems however do not work with evasion!)?
Logged

James0x57
Database Admin
Leader
Legendary Member
*****

Karma: 70
Posts: 1546

Gamertag: James0x57


WWW
« Reply #1 on: November 29, 2010, 10:40:47 PM »

I asked a server admin here at work all he said was:
"hmm.. for apache? not completely sure.. since we do most of our filtering at our load balancer. Anything that does rate limiting should prevent a DDOS on your backend"


Which maybe is not helpful to you but I don't know anything about it so I can't assume that info is useless..
Logged


Link
that dev there
Moderator
Hero Member
*****

Karma: 76
Posts: 1254

I hate everyone in this community. Except for you!


WWW
« Reply #2 on: December 01, 2010, 09:00:00 AM »

So well.. I hope it is done by now.

A: Package filter:
1) Filtering so far has a usual SYN package filter (too many SYN requests in a short amount of time whose ACKs are not acked (meaning server opens a socket but the socket is not used) will result in a 3 minute iptables ban (no access to any server ressource at all).
2) ICMP requests (PING) currently allowed

B: For Apache:
1) multiple requests on the exact same URI at the same time will result in 403 errors,
2) multiple GET requests in general on addresses will also (only the limit of allowed requests is higher),
3) too many GET requests on non-existing pages (DoS attacking applications sending just GET requests randomly) also 403 (even less requests allowed than option 1)
4) too many POST requests per second (very low limit!)
5) unauthorized PUT requests

Apache behaviour is simple: get blocked because one of the reasons once and you get a 5 second ban and all requests end up in 403. Manage to get 10 blocks in 1 hour will give you a 15 minute ban. Let's see how well this ends up defeating packages Tongue .
Logged

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!