VULNERABILITY ANALYSIS OF WEB SERVERS IN REFERENCE TO DENIAL-OF-SERVICE ATTACKS
PDF (Język Polski)

Keywords

DDoS
security
protect
the vulnerability of web servers
Apache
IIS

Abstract

The article is addressed primarily to those involved in the security of web servers. The work begins with the presentation of statistical treatment of the problem, which are DDoS attacks. The authors emphasize the problems of server protection against rapidly-evolving attacks denial of service. The study analyzed the resistance of the basic configuration for today's most popular web server. For the study, we have developed a virtual test environment, where the research was carried out vulnerability of selected sites. The aim of this analysis is to identify and discuss the fundamental vulnerability of Apache and IIS. For each of the Web servers authors have implemented the basic mechanisms of protection. The article is addressed to people involved in the analysis and the security of web servers. 

https://doi.org/10.7862/re.2016.8
PDF (Język Polski)

References

[1] Burdach M.: Hardening the TCP/IP stack to SYN attacks, http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks [dostep: 5 Sierpień 2015 r.].
[2] Darmanin G.: 8 tips to secure your IIS installation, http://www.acunetix.com/blog/articles/8-tips-secure-iis-installation [dostep: 5 Listopad 2014 r.].
[3] Gangte T.: SYN Flood Attacks- "How to protect?", https://hakin9.org/syn-floodattacks-how-to-protect-article/ [dostep: 21 Marzec 2014 r.].
[4] Guillermo G.: Understanding Apache 2 MPM (worker vs prefork), https://www.garron.me/en/blog/apache2-mpm-worker-prefork-php.html [dostep: 26 Grudzień 2012 r.].
[5] Incapsula: R.U.D.Y. (R-U-Dead-Yet?) - DDoS Attack Glossary, https://www.incapsula.com/ddos/attack-glossary/rudy-r-u-dead-yet.html.
[6] Linode: Mod_evasive on Apache, https://www.linode.com/docs/websites/apachetips-and-tricks/modevasive-on-apache [dostep: 5 Luty 2013 r.].
[7] Michalczyk A.: Ataki Slow HTTP DoS (cz. 1.) – Slowloris, http://sekurak.pl/atakislow-http-dos-cz-1-slowloris [dostep: 9 czerwca 2014 r.].
[8] Michalczyk A.: Czym jest atak DDoS (cz. 2) — techniki i narzędzia http://sekurak.pl/czym-jest-atak-ddos-cz-2-techniki-i-narzedzia/ [dostep: 13 Luty 2015 r.].
[9] Muscat I.: How To Mitigate Slow HTTP DoS Attacks in Apache HTTP Server, https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apachehttp-server/ [dostep: Październik 2013 r.].
[10] Netcraft : October 2015 Web Server Survey - Web server developers: Market share of active sites, http://news.netcraft.com/archives/2015/10/16/october-2015-webserver-survey.html [dostep: 16 Listopad 2015 r.].
[11] Neustar : April 2015 Neustar DDoS attacks & protection report : North America –, https://nscdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/2015-us-ddos-report.pdf [dostep: Kwiecień 2015 r.].
[12] Poongothai M., Sathyakala M.: Simulation and Analysis of DDoS Attacks, International Conference on Emerging Trends in Science, Engineering and Technology.
[13] Radware: DDoS Survival Handbook - The Ultimate Guide to Everything You Need To Know About DDoS Attacks,
https://security.radware.com/uploadedFiles/Resources_and_Content/DDoS_Handbook/DDoS_Handbook.pdf
[14] Seymour G.: Which Web Server: IIS vs. Apache, http://www.hostway.com/blog/which-web-server-iis-vs-apache/ [dostep: 24 Wrzesień 2013 r.].
[15] Shekyan S.: Security Labs - How to Protect Against Slow HTTP Attacks, https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-httpattacks [dostep: Listopad 2011 r.].
[16] Stallings W.: Kryptografia i bezpieczeństwo sieci komputerowych. Koncepcje i metody bezpiecznej komunikacji, Wydawnictwo Helion, Gliwice 2012.
[17] Zargar S.T., Joshi J.,Tipper D. : A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks, IEEE communications surveys & tutorials.