[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] how to detect DDoS attack through HTTP
From:       coderman <coderman () gmail ! com>
Date:       2011-06-30 1:46:19
Message-ID: BANLkTim8VjMNz0QFnfrMNsT7NqW7m-eoEg () mail ! gmail ! com
[Download RAW message or body]

2011/6/29 ±è¹«¼º <kimms@infosec.co.kr>:
> You don't understand my question.
>
> I'm studying and researching about solution of DDoS detection through
> analysis of HTTP responses...


i implied that this is less than useful on actual systems than in theory / lab.

if you want to gather useful details you need to instrument analysis
of HTTP requests/responses individually - just culling logs or
counting netflows won't cut it.

for example, measuring long requests at a front-end proxy (haproxy,
nginx, other) separate from measuring the application request/response
relayed to backend. measuring SSL session establishment, resumption
separate from HTTP requests within that session. measuring TCP
congestion control over which HTTP requests are sent. etc, etc...

the list of papers / sources covering large-scale network and
application performance tuning for the web is too large to list here.
good luck!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]