Yes, I am referring to an external firewall. So the idea is to use the web server to proxy external traffic and place an IP hit counter, that would throttle a DDOS attack. Even with a unix firewall, we still need a way to identify the threat and update the firewall. Do you have any thoughts on that? Thanks George Genovezos Application Security Architect CISSP, ISSAP, CIFI Copart I-- On 2/1/16, 6:04 PM, "Richard" <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote: >Are you referring to a 3rd-party firewall in front of the machine or >the OS's firewall. Most *nix system (built-in) firewalls that I've >dealt with have a lot of granularity and capabilities. They can >certainly do an IP-specific (or range) blocks on one (or all) ports >and some can do the throttling for you. That's what I've used when >I've needed to deal with issues like yours. Changing a web server >response to a 403 doesn't have all that much effect if you're >dealing with high-volume traffic. > > >> Date: Monday, February 01, 2016 22:07:45 +0100 >> From: Luca Toscano <toscano.luca@xxxxxxxxx> >> >> Hi George, >> >> I would also check mod_qos for your use case! >> >> Luca >> Il 01 feb 2016 22:00, "George Genovezos" >> <George.Genovezos@xxxxxxxxxx> ha scritto: >> >>> Richard, >>> >>> I would agree with you that a more elegant solution is required. >>> Unfortunately the firewall will only block or allow a particular >>> port. >>> >>> The correct solution would be to implement an IPS solution in >>> front of a firewall, but where in the do more with less phase. >>> >>> >>> George Genovezos >>> Application Security Architect >>> CISSP, ISSAP, CIFI >>> >>> Copart >>> I-- >>> >>> On 2/1/16, 2:27 PM, "Richard" >>> <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote: >>> >>> > >>> > >>> >> Date: Monday, February 01, 2016 19:52:51 +0000 >>> >> From: George Genovezos <George.Genovezos@xxxxxxxxxx> >>> >> >>> >> Hi, >>> >> >>> >> I’m hoping someone can help with a problem I’m having. I >>> >> need a basic Ddos mitigation tool. Basically, either >>> >> throttling back certain IP addresses or blocking access after >>> >> too many connections per second. >>> >> >>> >> I know mod_evasive did this but the project, to my knowledge is >>> >> deprecated. >>> >> >>> >> So to draw this out, I want a web server to count the number of >>> >> connection per seconds, and if an IP breaches this limit to >>> >> either throttle or block the connection. Then I want to use >>> >> mod_proxy to reverse proxy that clean connection to my web >>> >> servers. >>> >> >>> >> Any feedback would be greatly appreciated. >>> >> >>> >> George Genovezos >>> >> Application Security Architect >>> >> CISSP, ISSAP, CIFI >>> >> >>> >> Copart >>> > >>> > In my view, doing this at the web server is rather late in the >>> > game. If I'm reading the mod_evasive documentation correctly, >>> > all it (or something similar) does is stops serving content and >>> > returns 403s. If your content is resource expensive to deliver >>> > that will help some, but you're still going to get all the >>> > requests hitting the web server and you're still going to be >>> > responding to them. >>> > >>> > The better place to address this is at your system's firewall. >>> > Depending on your system, you likely have firewall tools that >>> > can provide a more robust solution. >>> > >>> > >>> > >>> > --------------------------------------------------------------- >>> > ------ To unsubscribe, e-mail: >>> > users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, >>> > e-mail: users-help@xxxxxxxxxxxxxxxx >>> > >>> > >------------ End Original Message ------------ > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|