 knightmbEverybody Lies
join:2003-12-01
Franklin, TN | reply to quetwo
Re: should have seen it coming... Yeah, it's slowtris and it's real easy to guard against. Limit your TCP connections to something less than 2.5 hours (usual default) to something a little better like 300 seconds.
Slowtris works on the principal that web servers are "nice" and will keep you connections open for you, except it just sends data at around 1 bps so that the web server keeps it open, then it just opens another connection and then another, eventually just filling up all 65535 connections.
Another easy way to prevent this, don't allow unlimited connection sessions from a single IP 
--
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data |
|
patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | said by knightmb:Another easy way to prevent this, don't allow unlimited connection sessions from a single IP What about ISPs in countries that weren't well endowed with IPs where the major ISPs all NAT 1000s or 10000s of users behind 1 IP? what about AOL users behind the AOL proxy? |
|
knightmbEverybody Lies
join:2003-12-01
Franklin, TN | said by patcat88:said by knightmb:Another easy way to prevent this, don't allow unlimited connection sessions from a single IP What about ISPs in countries that weren't well endowed with IPs where the major ISPs all NAT 1000s or 10000s of users behind 1 IP? what about AOL users behind the AOL proxy? Tough love I'm afraid. The key word is no "unlimited" sessions, even allowing 1,000 would allow all of these people to use it and still keep your web server from drowning in slow connections.
The worst that would happen is people from that ISP would be unable to connect, at least then the firewall logs would reveal where the attack is coming from.
--
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data |
|
|
|
