Detecting Attacks

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sun Jun 12 16:04:12 UTC 2016


On Fri, 10 Jun 2016 22:22:31 -0700, subashini hariharan said:

> The aim is to detect DoS/DDoS attacks using the application. I am going to
> use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log
> Analytics).

Bad approach.  At that point, not only is the application being DDoS'ed,
but now your logging system may be overwhelmed as well.  And a favorite
attack method is to throw a DDoS at one application (your http server, for
instance), and while you're drowning in logfiles, slip in an exploit for
something else (you *did* patch that tftpd server, right?)

Also, the vast majority of DDoS attempts are just fill-the-pipe attacks,
which often don't even bother attacking an application, just an IP address.
This leverages the fact that there's a lot of routers that can switch average
sized packets at line speed, but not minimum sized packets. So the link
falls over faster if it's getting pounded with ICMP Echo Request packets
or TCP SYN packets than if it's getting 800-byte http requests.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160612/8e75503f/attachment.sig>


More information about the NANOG mailing list