Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
___jay___
New Member
New Member


Joined: Feb 09, 2007
Posts: 19

PostPosted: Mon Apr 09, 2007 11:35 am Reply with quote

All this has been done before consulting this site. The problem is, its not very effective when running my tests. With all the settings done, ddos attacks(well mine anyway) blow right through it and the server lags offline. Don’t get me wrong, the attack im doing is massive, that’s why I want this type of attack resolved.

Flood Blocker Settings: Block, &default page
Write to htaccess: on
Ipblock type: 3octets

Flood blocker setting are
PAGE DELAY: 4
FLOOD DELAY: 4
DOS Protection:On
BLOCK PROXIES: Strong Level

I blow right thru this and that bothers me. I have seen this stature of attack blocked before, but their not sharing.
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Apr 09, 2007 12:07 pm Reply with quote

I often get heavily ddos'd and have to take extreme measures to counter the attack(s). In all the searching and reading and studying that I have done over many years along with talking to many other hosts, as I said above, there is no software, anywhere, that can stop those kinds of attack. You can use mod_throttle, mod_security, APF, CFS, iptables, etc., and you can corral some of these. But those are done at the server/kernel level and not at the site level. And, as I said earlier, I can lock your server in a dos with one or two lines of code and only a single connection that within seconds kills your web server. My point is not to brag but to try to put this in perspective. NS, Protector, and even the type products mentioned above won't stop it. In fact, depending on how your server is set up, even on reboot it will go right back into the grave.

Very expensive hardware is available that can mitigate (much better) these heavy attacks but still won't shut them down completely w/o taking the server off line, of course depending on how the attack was written/executed.. And to back trace the culprits requires a coordinated effort of all the router owners along the route.

As Ezekiel stated, sometimes you just have to throw the baby out with the bathwater to achieve what you are after - collateral damage as they say.


Last edited by Raven on Mon Apr 09, 2007 8:14 pm; edited 1 time in total 
View user's profile Send private message
___jay___
PostPosted: Mon Apr 09, 2007 12:14 pm Reply with quote

I was thinking about a different approach, Is there a way to set up sentinel to ban an ip that, (say for example) clicks a link repeatedly in a short period of time. Such as a hammer attack block would do? The Flood protection dose not seem to be doing this for me.
 
___jay___
PostPosted: Mon Apr 09, 2007 3:52 pm Reply with quote

I have uninstalled Protector set Flood protection to write to .htaccess and set octet to 1 and this seems to be doing what I wanted. Raven was right. I needed more focus on setting NS up correctly thank you sir



Cheers
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Mon Apr 09, 2007 3:59 pm Reply with quote

I have been working on a different "Flood" blocker for NS. It is rather harsh as some would say. The problem with past flood routines, including the present one, is that we have to mellow them out for the masses that normally don't get dos'ed or hammered. In the one I've been working on it has no mercy, which I personally prefer.

It's no where near ready for any testing just yet as I only have it on a local server and it even blocks it's self at times still Smile Like I said no mercy.

Onto Jay's question, yes we could set it up like that but there is a major draw back to it. It would slow your site down to a crawl from all the routine calls it would take

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
___jay___
PostPosted: Mon Apr 09, 2007 4:02 pm Reply with quote

When its ready keep me in mind for testing and thanks
 
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Wed Apr 11, 2007 4:50 pm Reply with quote

Just to add to this topic, Raven is the one person whos advice I would take to heart without question.

Heres some commonly known things about dossing and ddossing:

Problem, all servers or legitimate networking systems must report back on error.
So that means that a server Must report back an error even if banned, that takes some usage, not much but some.

All attacks are designed to skyrocket cpu usage and therfore force an error Or shut down public access.

I have created a dos block that works quite effectively to stop dossing of the server for a legitimate browser that accepts cookies(using sql takes WAY more resources). So theres the problem, illegitimate or program based browsers have no need nor do they take cookies, but to ban just because they dont take cookies is insane, a Lot of users dont take cookies and even if I ban them all, I still will have a SERVER that delivers the error on que.

Solution: Use Sentinel, Make sure you have a GOOD host, so many out there think that uptime is a matter of security, this is simply not true.

Read this for some major insight: Only registered users can see links on this board! Get registered or login!


I hope this shows you how Global the problem really is and that means the solution must be global and people like bob and raven and others work to help prevent these attacks need the support of the users and internet community as a whole.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Raven
PostPosted: Wed Apr 11, 2007 5:33 pm Reply with quote

Thanks darklord for the excellent link. What I find really significant and disheartening at the same time is that the article started in 2000. Seven years ago and we still battle this regardless of advancements in technology and knowledge.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©