| Author |
Message |
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
 Posted:
Wed Jul 05, 2006 10:45 am |
|
Im working on a DDos blocker for a website, thing I cant figure out is a way to tell(through script, absolutley no mysql intervention) how many unique ips are on a site.
From what I have read, ddos do not use cookies so to add a cookie would not work, so I need a way for the server to tell me how many connections are made to the server from this site, and tell me the ips of the connectors, As far as I can tell, no way to do this from the site level because they done use cookies.
Another approach I was trying to work with, was a way to find out what percentage of resources My site was using on the server (either appache or database) from the site level, This also lead me to some ideas, but not really plausable.
The goal is to just simply stop a ddos from the site level, dont really care if the site banns em(would be nice but not focused on it).
Any ideas would be appreaciated, Also if this is possible but out of my level of knowledge, please link me to where I can learn about it.
Thanx |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
    
  |
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6433
|
| Posted:
Wed Jul 05, 2006 1:01 pm |
|
Bob Marion added some DDOS prevention capabilities to NukeSentinel, so you might want to look into that. Beyond that, I can't recommend anything else unfortunately... |
_________________
I search, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG |
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Wed Jul 05, 2006 1:02 pm |
|
well i dont wanna ruin your day but you cant...
ddos (attacks) are are not that easy and requires a huge setup by the hacker...(from what ive read and know of)
there is software available (commercial stuff) that can deal with ddos attacks but not fully 100% .
But while im busy....yep(ruin your day now) let me quote cisco:
Today's DDoS attacks are more malicious, more virulent, more destructive, and more focused than ever.
Launched by disgruntled users or unscrupulous businesses targeting specific sites or competitors, these attacks easily elude and overwhelm the most common defenses.
Composed of legitimate-appearing requests, massive numbers of "zombies" and spoofed identities that make it virtually impossible to identify and block these malicious flows, DDoS attacks literally paralyze their victims and prevent them from conducting business, costing billions of dollars per year in lost revenue.
The Cisco Guard XT defends against this new wave of DDoS attacks, enabling businesses to defeat these attacks without compromising their mission-critical and revenue-bearing operations.
Based on a unique multiverification process (MVP) architecture, the Cisco Guard XT employs the most advanced anomaly recognition, source verification, and anti-spoofing technologies to identify and block individual attack flows while allowing legitimate transactions to pass.
Combined with an intuitive, graphical user interface (GUI) and extensive multilevel monitoring and reporting designed to provide a comprehensive overview of all attack activity, the Cisco Guard XT delivers robust and comprehensive DDoS defense for protecting business operations.
and im sure you wanna know how much this baby costs...
 $81,469.91 |
| |
|
|
|
|
gregexp
|
| Posted:
Wed Jul 05, 2006 2:27 pm |
|
This is what bothers me, This is what I know of a ddos attack:
Ips connect to a server or site continuously till time limit they set is up.
Now this is where I began my search, DDos will make the servers mysql resource increase in percentage if its hitting a nuke site or a site that uses the database.
Now if it hits the server, it increases cpu usage ONLY.
Now the server loggs all ips connecting to a site or server.
I could care less about the server as thats upto the host(script wise I mean).
But what I would like is a way to call on those loggs to see how many ips are connected at that time(to the site).
I do believe they dont use cookies or dont allow em, so this creates a problem of not being able to monitor connections via cookies, and I think from the code in nukesentinel that is how they attempted to create a ddos block.
I used that to create a flood blocker which is posted in these forums under nukesentinel because it uses sentinels banns to ban them.
Now I've been searching the net for a way to monitor cpu usage on a server from the site or mysql resource usage. I'm curious if anyone knows of a way, if not, does anyone know of a way to grab all the ips that are connected to a site at one time.
If anyone has any ideas on another approach I've overlooked then please post, I'll be happy to approach ALL angles of this and see what can be done.
These 2 ways have already lead me to what seem to be dead ends.
My server has something called ip_tables which my host pointed me to, now if this is an angle I could use in php then that would be great too.
See, I've tried all I can think of so far, thats why I'm asking but I do understand if its not possible at my coding ability or on the site level.
Would be nice though. |
| |
|
|
|
|
hitwalker
|
| Posted:
Wed Jul 05, 2006 2:35 pm |
|
well your a little bit of tracks with your approach...
i quote from article....
Denial of Service (DoS) attacks occur when a computer network is overwhelmed by streams of seemingly normal service requests (literally made by sending data packets) such that legitimate users cannot gain access to network resources - thus, they are denied service.
Typical Distributed Denial of Service (DDoS) attacks involve the use of multiple unwitting "zombie" computers sending requests to the victim site.
This is more effective in creating an overwhelming mass of requests to deny service (e.g., a thousand computers sending millions of requests).
But importantly, the attack is more difficult to stop because the origin of the attack is very complex and hard to identify, especially as the data packets sent to the victim will often have "spoofed" (forged) source addresses.
im sure your beginning to understand now why this is close to impossible.... |
| |
|
|
|
|
gregexp
|
| Posted:
Wed Jul 05, 2006 9:46 pm |
|
ok, now I have an approach Im thinking will HELP, not stop completely but Id like some input here.
Could as many people as possible run this via phpmyadmin:
show status like 'threads_connected';(this will only tell how many connections are currently set, absolutley no risk to you at all to post the number is diplays.)
And let me know what the round about traffic is, I have a small site and it simply does not need that many connections but I would like to impliment this:
If ($sql>=$setnumber){
die(http.site_shut_down_temp.php);
}
Funny how long it took me to realize the mysql_query will output this as a resource. But I LOVE php.net, so usefull for those little coding issues. 
I need the imput so that I can offer REAL advice on what to set a limit to.
This is one of the other approaches I was taking before but must have overlooked this particular variable.
If I cant monitor connections via cookies, lets tell mysql to tell me how many connections are currently made to the database. And I have found a way to make this work. Please, If this is not plausible to work the way I'd like, post back.
Thanx |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
