> Joshua Slive <joshua@xxxxxxxx> wrote:
> Ok. I see the issue better now.
>
> But what really is the point in trying to eliminate the client who
> dribbles out data in order to get around the TimeOut? If you are
> performing a DDoS, you can easily behave just like an ordinary client
> (requesting real files), and thereby be almost undetectable. Why
> bother playing silly timeout tricks?
This is only a variant of resource exhaustion. Slashdot effect
is certainly devastating. But while the latter is well
known, this one is mostly obscure. Attackers build silly TCP packets
to hose servers, I am sure they also use silly timeout
tricks if it does the job they want.
This attack has many special traits. One of the more annoying ones is
sudden and total death. Your server can go from snappy response to
100% blocked in a mere second. If you still manage to access the status
page (I have not managed to do this, though), it would tell you
the following in most attack variants:
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
1-0 16053 0/0/0 R 0.00 13 0 0.0 0.00 0.00 ? ? ..reading..
You do not even see the attacking IP. It's all very silent and your
logfile will be empty apart from an informative "server seems busy".
In fact it is not busy. It is idle (polling). But blocked.
|