Closed pavel-odintsov closed 7 years ago
We could do this with https://github.com/h2o/picohttpparser
@pavel-odintsov any updates on implementing http flood detection?
Hello!
No, actually. For HTTP we need intrusive mode with full packet filtering. We are working with sampled packet capture (sflow and netflow) and in this case we actually haven'y any information about http request or they sampled with very big rate.
We have this in road map but without any ETA. If you need it so much we could discuss it in details. My email: pavel.odintsov@gmail.com
I'm very interested in layer 7 ddos attacks detection, i'll write you soon.
I'm really interested in this one, too! I've given it some thought, and it might be the best idea to save http requests into an elasticsearch. With something like yara, maybe existing snort rules it would be possible to easily block known L7-tools? But that would be very static; and we need behaviour rules like: one IP is querying url /search.php?q=[RANDOM] more than once per minute. Or is doing GET / HTTP/1.1, but never fetching any CSS. That's a lot harder to do.
I see no reasons to add L7 attacks to FastNetMon at this moment. Why? Because if you care about L7 mitigation you need to use some middle box (nginx? tengine? haproxy?) to pass all traffic over your equipment.
Transparent detection from mirror it's a complete waste of your time because you could not use BGP Flow spec of BGP unicast to prevent such attacks.
You could still generate some filter rules and inject them into firewalls (maybe as an ipset), but I agree that it's better to implement in the middle box. Thanks for the explanation,
It's too complicated to handle L7 attacks. More that 75% of the modern web is encrypted. So, we could not do ipset also.
We should implement stand alone htttp flood monitoring software for in place ddos mitigation on heavy loaded web servers.
In addition we could parse SSL SNI.