I have read through the tippingpoint whitepapers, and notice that it mentiones httpd floods as a type of DDoS attack that it can detect and prevent.
Is this true, and does it actually prevent httpd-based attacks on our servers (massive GET requests sent by zombie bots to overload http/MySQL)?
I'd like to hear from someone at Ev1 about this, but don't want to waste their time with opening a ticket.

That is more of what the fireslayer does. Tippingpoint, from my understanding, is a packet filter that looks for "bad" packets. It normally looks for packets that contain code that might damage your server. The big example for this is something like the phpbb worms which are now filtered completely out from dc2. Any packet that looks like one of the worms is not allowed on to the network.

Fireslayer is useless for httpd attacks... it reads them as legitimate traffic and lets them pass through.
And mod_dosevasive is useless for real ones, because when you get 1000+ bots querying a php/SQL driven page 50 times each in the period of 30 seconds, it's not enough to trip a flood block, but IS enough to cause enough server load to bring everything to a grinding halt.
Which is why I was excited to see the tippingpoint whitepapers discussing httpd DDoS attacks.
Oh well, at least I managed to get my one priority attacker busted by the FBI... he's currently sitting in his parents house with no computer of his own, nor a computer of theirs anymore, patiently awaiting his conviction (fornsics have apparently completed going through the hard drives, and have built a solid case against him). Maybe that will be deterant enough to keep from having other morons launch an attack on us, since it shows that we work with the FBI to get them busted, and that it really does get them in trouble.

NightStorm, glad that you got him busted! I did not realise that there were very many sucess stories from the FBI.

How much of a pain was it for you to deal with?

Alex

Other than Ev1 unplugging us twice, and their abuse department not contacting the FBI agent the first 3 times we asked them?
Wasn't really all that "painful"... just had to send a lot of logs, and keep on it until results were produced. Our agent said that most of the people who *could* be charged usually aren't, not because the FBI doesn't press the issue, but because the person(s) being attacked usually stop providing stuff, and simply give up on it.