Re: how to detect DDoS attack through HTTP response analysis(throuput)

[coderman <coderman () gmail com>]

2011/6/29 김무성 <kimms () infosec co kr>:
> You don't understand my question.
>
> I'm studying and researching about solution of DDoS detection through
> analysis of HTTP responses...


i implied that this is less than useful on actual systems than in theory / lab.

if you want to gather useful details you need to instrument analysis
of HTTP requests/responses individually - just culling logs or
counting netflows won't cut it.

for example, measuring long requests at a front-end proxy (haproxy,
nginx, other) separate from measuring the application request/response
relayed to backend. measuring SSL session establishment, resumption
separate from HTTP requests within that session. measuring TCP
congestion control over which HTTP requests are sent. etc, etc...

the list of papers / sources covering large-scale network and
application performance tuning for the web is too large to list here.
good luck!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/