Hello I have been trying to solve a big problem for the last 2 weeks with one of our servers (apache 2.2 , windows, php). The client using our system is a contact center firm. They have about 120 operators, all connect to our websever with the same IP, their outgoing IP. We have been suffering DoS attacks from some of these operators. These are simple, browser attacks , namely 5 or 10 operators will just hold F5 key and bombard the server with requests when they shouldnt. There is very little we can do to improve performance of these specific url's the attackers are using. This is a software, not a public portal, so a lot of screens have a good amount of processing and real time querying in them. We did manage to produce a php protection which will recognize the multiple requests and blacklist the user. We use the user ID in the system to control who should be blacklisted, so this is all dependent on our own authentication. It works like this : - user logs in our software, we write his ID in a cookie - a control file is created using that ID as the unique key - from there we control if he's hitting the same url repeatedly, if the cookie exists - after x requests on the same url, the script will die, and a message will be displayed. - the control cookie is erased when the users logoff or after a 24 hours lifetime This works to some extent, but it?s a little "too late" since the request have already been sent and processed by the webserver. Even after trimming down the request to a bare minimum, its still a php request that will be enqueued and normally processed by the handler. So, the attackers now have to "hold F5" for a much longer time, but they are still keen to doing it anyhow. Ideally, we need something EXACTLY like mod_evasive, but for rejecting single requests instead of blocking the IP. Exemplifying : if a user calls the same url, 5 times, in a 3 second spawn, we will reject every next request for 30 seconds, but only the requests by that user. Also, we can only work with apache on windows so far, but linux only solutions are also of interest if there are any. Any help, suggestion or idea how to brain storm this issue is greatly appreciated. --- Este email está limpo de vírus e malwares porque a proteção do avast! Antivírus está ativa. http://www.avast.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|