Detecting distributed attacks

davidmuscut · 2014-12-12T15:24:37+00:00

Hello! On Thu, Dec 18, 2014 at 2:02 PM, Daurnimator wrote: > This is surprising to me: > I would have suspected '-s reload' to only exit once the relo...

Detecting distributed attacks

davidmuscut

I want to detect obvious changes to general request velocity for a given URI, for example if global login attempts are normally made 15 times per minute and that jumps to 100 times per minute I want to get notified. Is there a way to implement this within Openresty without adding latency to requests? What is the best way to implement this?

thank you,

David

lazy.dogtown

hi david,


2014-12-12 8:24 GMT+01:00  <david...@gmail.com>:
> I want to detect obvious changes to general request velocity for a given
> URI, for example if global login attempts are normally made 15 times per
> minute and that jumps to 100 times per minute I want to get notified. Is
> there a way to implement this within Openresty

it could be done by using lua + redis + some scripting.

> without adding latency to
> requests? What is the best way to implement this?
>

it depends on what you want to do/know. from my experience in
comparing actual vs avg - events you'll need some learning -phase
to see what is normal, what is normal "noise" - peaks.
and then you'd want to de-couple the generation of your avg-values
and process the actual request-level by running a small script from cron.
so your nginx does just the logging (not much latency)
and your script does the processing and analytics and alarming.



cheers,

mex

lazy.dogtown

talking about normal noise peaks:

https://imgur.com/LrqmH2C

this is the daily attack-level on one of our wafs,
and the normal noise ranges from 500 events/day to 1500 events/day




2014-12-12 8:47 GMT+01:00 mex <lazy....@gmail.com>:
> hi david,
>
>
> 2014-12-12 8:24 GMT+01:00  <david...@gmail.com>:
>> I want to detect obvious changes to general request velocity for a given
>> URI, for example if global login attempts are normally made 15 times per
>> minute and that jumps to 100 times per minute I want to get notified. Is
>> there a way to implement this within Openresty
>
> it could be done by using lua + redis + some scripting.
>
>> without adding latency to
>> requests? What is the best way to implement this?
>>
>
> it depends on what you want to do/know. from my experience in
> comparing actual vs avg - events you'll need some learning -phase
> to see what is normal, what is normal "noise" - peaks.
> and then you'd want to de-couple the generation of your avg-values
> and process the actual request-level by running a small script from cron.
> so your nginx does just the logging (not much latency)
> and your script does the processing and analytics and alarming.
>
>
>
> cheers,
>
> mex