Comment by SXX
8 years ago
Sending out character per second would mean that you'll keep connection open for long time and even if your server is behind CDN this would eventually let attacker exhaust your resources.
8 years ago
Sending out character per second would mean that you'll keep connection open for long time and even if your server is behind CDN this would eventually let attacker exhaust your resources.
Think this through.
If a large number of hosts treats some behaviour as deserving a slow-service attack, then clients exhibiting that behaviour are faced with a large set of slow-serving servers.
Any given server can monitor how many slow-service attacks it is currently providing. Given that a criterion for an SSA is having already determined that the connection is not a friendly one, then monitoring useful vs. useless (e.g., SSA) connections, and being prepared to terminate (or better: simply abandon) the SSA connections as normal traffic ramps up, is a net benefit.
Meantime, the hostile clients are faced by a pervasive wall of mud, slowing their access.
If this monitoring and priorities already implemented within software that handle SSA that's okay, but using some custom untested trickery is simply dangerous.
This is why I want to point out that simply serving content with delay and increasing number of active connections create additional attack vector that more dangerous than script kiddies scanner was in first place.
An open connection with no communication going on does not take away a lot of resources, it's just some values in some table maintained by the TCP stack. If you implement that slow down service event based so it can handle a lot of concurrent connections it should not take away much resources either. In the end you can always limit the amount of connections you treat that way to a value your system can easily bear.
This was exactly what I did for a while, and I was able to tie up tens or hundreds of SPAMmer connections without hurting myself, on quite a small mail server.