The reality is that today's (D)DoS is less a factor of what the target is or is running but more (if not all) a factor of available source bandwidth. You can have the most perfectly secured machine with absolutely no buffer overflows, controlled resources, on so on, but a miscreant with an agenda can still attempt to send some astronomical amount (like say 6MBytes/sec aka > T3) of data (valid or not) to any port (listerning or not) on your machine, and offline you go. No one else can send valid data to you, because said miscreant has soaked up all your available downline. Unless you can get cooperation from your upline provider(s) to block the DoS up stream at a higher bandwidth point, there is nothing you as an end-user can do except wait it out or have more bandwidth than the miscreant can appropriate. Firewall and reject all the packets you you want, but up to your firewall, the packets have already traveled and so goes the bandwidth you need to get valid data in to the systems behind the firewall.
This is not to say that the above suggestions are not to be bothered with, quite to the contrary. You should always maintain secured, tested, and resource controlled systems, however, the goal of this security is to keep the bad guys from screwing up the system itself, using it as a point of attack, or the ruining data contained therein (loss of data, intentionally modified data, defaced websites**, etc...)
However, any semi-intellegent miscreant with the simple goal of taking you offline, knows that all (s)he need do is eat up your bandwidth. Long gone are the days when creating a DoS required making the target machine keep itself (too) busy (or crashed) to answer valid requests.
This article's title is a misnomer is suggesting you can protect your Apache server *from* DoS attacks. You may prevent it from being 'hacked' and possibly used to participate in a DoS, but with today's bandwidth and other people's insecured machines, eliminating the possibility of a (D)DoS directed at you is not a reality. The reality is that the concepts apply to all systems online regardless of what funtion they perform and who's software they use.
-----
** A capable defacer may not hack your machine unless it presents itself as the easy target, (s)he may route or DNS around you and put up his/her own copy of "your" site elsewhere.
Discussion on:
View:
Show:
The author provides a sound, well written description of protecting Apache systems from DoS (not DDoS) attacks. He even states that, "almost nothing will.." protect systems from DDoS attacks.
A good article. It shouldn't be criticised for inferred content that doesn't actually exist.
A good article. It shouldn't be criticised for inferred content that doesn't actually exist.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
