DOS trace

General technological topics without their own forum go here

DOS trace

Post by krauterz on Sat Nov 27, 2010 12:52 am
([msg=49490]see DOS trace[/msg])

hey guys.
my question is, if someone was to dos a site, there ip would be recorded and traced right? my question is if the person who dos'd changed their external ip address after the dos attack could they become untracable?
krauterz
New User
New User
 
Posts: 1
Joined: Sat Nov 27, 2010 12:50 am
Blog: View Blog (0)


Re: DOS trace

Post by Goatboy on Sat Nov 27, 2010 2:41 am
([msg=49493]see Re: DOS trace[/msg])

Not all websites are set up to log attacks. You could sit there and DoS them all day and they might not have any clue as to who did it. They might not even notice, if it's just you doing it (DoS vs DDoS). If they do have logging, that's all it would do: log you. I'm not aware of any logger that would automatically take counter-measures like that, but they might just drop all traffic coming from you. I've been thinking about a service that would attack back (maybe use metasploit to auto-attack, or use a botnet to DDoS you).

As for changing your IP, that would only work if they try to directly reach you. They could go as far as to report the attack and have ISPs report who did it, but that's unlikely to happen for a single attack.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: DOS trace

Post by thetan on Sat Nov 27, 2010 12:17 pm
([msg=49504]see Re: DOS trace[/msg])

Layer 7 DDoS/DoS are all the rage now a days for the kiddies.

The main target for layer 7 DDoS/DoS are "old school" _shit ware_ servers that spawn 1 thread per connection (Apache, Shoutcast, IIS etc). And the general attack vector exploits this "weakness" by simply starting an acceptable connection and just holding it open.

This is a relatively fast, easy, stealthy and hard to block way of taking down an entire machine. You see, it's typical for 1 thread to be allocated 8mb of memory for stack space, this is better then older school methods of forking the entire process in memory, however it's not good enough. An attacker can easily open 1000 slow HTTP POST requests to the server, use practically no bandwidth doing so and eat up a considerable amount of ram on the server machine. Using non-blocking asynchronous IO, the attacker will not have to allocate 1 thread per connection and will have 1 thread managing all the thousands of spawned connections efficiently.

Regarding the HTTP slow POST layer 7 DDoS, Apache basically said "yeah we know, sucks huh, oh well" and Microsoft have said "well, we don't consider it a big enough deal".
- http://docs.google.com/viewer?a=v&q=cac ... XWY7mWB7cg

The only web servers that are safe from this specific layer 7 DDoS are ones that don't spawn 1 thread per connection and are typically web servers that were spawned as an answer to the c10k problem so they're non-blocking, asynchronous, event driven servers like Nginx, Lighttpd, Cherokee, etc

Image
- http://blog.webfaction.com/a-little-holiday-present

Moral of the story: Stop using apache, it's shit and needs to die kthx
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: DOS trace

Post by Goatboy on Sat Nov 27, 2010 12:25 pm
([msg=49505]see Re: DOS trace[/msg])

Thetan, stop posting useful, informative, intelligent replies. You're making the rest of us look bad.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: DOS trace

Post by insomaniacal on Sat Nov 27, 2010 1:28 pm
([msg=49509]see Re: DOS trace[/msg])

Goatboy wrote:Thetan, stop posting useful, informative, intelligent replies. You're making the rest of us look bad.


+1.

/thread.
It's not who votes that counts, it's who counts the votes
insomaniacal.blog.com
User avatar
insomaniacal
Addict
Addict
 
Posts: 1210
Joined: Sun May 24, 2009 10:21 am
Blog: View Blog (0)


Re: DOS trace

Post by alltheprettyhorses on Sat Nov 27, 2010 2:59 pm
([msg=49521]see Re: DOS trace[/msg])

Goatboy wrote:Thetan, stop posting useful, informative, intelligent replies. You're making the rest of us look bad.


God I enjoyed that.

Although, it does mean everyone else can enjoy blowtorching threads in the full knowledge that Thetan will arrive and pour ice-cold info all over it at some point anyway. Props to him.
"So this is how liberty dies; With thunderous applause..."
User avatar
alltheprettyhorses
New User
New User
 
Posts: 42
Joined: Sun Sep 05, 2010 10:17 am
Blog: View Blog (0)


Re: DOS trace

Post by mShred on Sun Nov 28, 2010 12:51 am
([msg=49536]see Re: DOS trace[/msg])

thetan wrote:Moral of the story: Stop using apache, it's shit and needs to die kthx

What would you suggest instead of apache? I'm not big exactly big into all this web server stuff.
For those about to hack, I salute you.
teehee
image
User avatar
mShred
Administrator
Administrator
 
Posts: 1899
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: DOS trace

Post by insomaniacal on Sun Nov 28, 2010 8:23 am
([msg=49542]see Re: DOS trace[/msg])

thetan wrote:The only web servers that are safe from this specific layer 7 DDoS are ones that don't spawn 1 thread per connection and are typically web servers that were spawned as an answer to the c10k problem so they're non-blocking, asynchronous, event driven servers like Nginx, Lighttpd, Cherokee, etc
It's not who votes that counts, it's who counts the votes
insomaniacal.blog.com
User avatar
insomaniacal
Addict
Addict
 
Posts: 1210
Joined: Sun May 24, 2009 10:21 am
Blog: View Blog (0)


Re: DOS trace

Post by thetan on Sun Nov 28, 2010 1:35 pm
([msg=49546]see Re: DOS trace[/msg])

Basically you can't go wrong with any of the modern servers that were made to address the c10k problem ( http://www.kegel.com/c10k.html ). One of the key concepts behind is simply non-blocking IO, however modern servers that have taken it that far usually up the ante and instead of using select() to cherry pick file descriptors, they implement systems that take advantage of kernel level notification systems like epoll (linux), kqueue (FreeBSD and MacOS), /dev/poll (solaris) etc to scale better. The annoying part is each operating systems back end for the notification system requires different code to be written. So instead most of these servers use libraries like libevent or libev, which is perfectly fine.

Image

I tend to extensively use Ngnix as my personal choice. Mostly for performance and the availability of awesome modules for it. Also it's a plus that it has a reverse caching proxy in the core, so i don't have to put something like squid in front of it and it can take advantage of the kernel level sendfile()
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: DOS trace

Post by MimoMarim on Sun Nov 28, 2010 11:29 pm
([msg=49571]see Re: DOS trace[/msg])

Nice info thetan, thanks for posting =)
MimoMarim
New User
New User
 
Posts: 4
Joined: Thu Nov 25, 2010 7:44 am
Blog: View Blog (0)


Next

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests