How you tell a DDOS from apache?

Hey

How can you tell a ddos from apache, can you tell by how big the number is under REQ? Req Milliseconds required to process most recent request

or what?


Tyler

 

The most obvious sign is a large spike in traffic. The trouble is, how do you tell the difference between being Slashdotted or Dugg from a malicious DDoS ?

The best way I can tell would be to look at what is being requested by each individual IP address. If a single IP address requests the same page more than three times and you are in the middle of a large spike of traffic then it's probably part of the DDoS attack. In this case you will probably see lots of IP addresses exhibiting this behaviour.

I don't think Apache has the power to detect this kind of complex behaviour however there might be a plugin that could do it. I have heard good things about mod_evasive but I haven't used it myself.

Alternatively, writing a script that looks through your log files might be a better way of handling it. Leave Apache to get on with serving files and let the script handle the security. This should give you the flexibility and the power you need at the expense of having to wait five minutes until the next time the script runs.

 

Does your server has any control panels, say cpanel? Run the following command

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

which will show you the number of connections per IP. If you could see the number of connections exceeded the MaxClient value defined in Apache configuration, then it could be a DDOS attack.

 

You should be setting up IP tables anyway, contact my friend, he does server security

http://www.ayrshire-webdesign.com

 

Good idea. Most browsers are configured to only use two simultaneous connections to the same server. They will wait until they have finished downloading one of the first two image/css/js files before starting on the third.

If you see a single user making significant numbers (More than 16 would be my guess. You server probably has max_clients set to 500 or so.) of simultaneous connections then it's either part of a DoS attack or it's several users behind a proxy/gateway.

Make sure you also grep for ESTABLISHED connections because any in TIME_WAIT are not part of a current, valid connection.

You could probably configure your firewall to drop or delay any connections that would exceed that number from the same IP address. It shouldn't affect normal browsers and it shouldn't affect users behind a proxy very much - they will just have to wait a little before connecting. It might, however, significantly throttle a DoS attack.