Re: Re: throttling IP addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There may not be a simple single solution for you.

Iptables can be used to restrict packets that are coming in at an excessively high rate

Snort can be used to detect and manage intrusion attempts.

~Sent from my Huawei H1511~

On Feb 2, 2016 8:48 AM, "George Genovezos" <George.Genovezos@xxxxxxxxxx> wrote:
Yes,

I am referring to an external firewall.

So the idea is to use the web server to proxy external traffic and place an IP hit counter, that would throttle a DDOS attack. Even with a unix firewall, we still need a way to identify the threat and update the firewall. Do you have any thoughts on that?

Thanks


George Genovezos
Application Security Architect
CISSP, ISSAP, CIFI

Copart
I--







On 2/1/16, 6:04 PM, "Richard" <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote:

>Are you referring to a 3rd-party firewall in front of the machine or
>the OS's firewall. Most *nix system (built-in) firewalls that I've
>dealt with have a lot of granularity and capabilities. They can
>certainly do an IP-specific (or range) blocks on one (or all) ports
>and some can do the throttling for you. That's what I've used when
>I've needed to deal with issues like yours. Changing a web server
>response to a 403 doesn't have all that much effect if you're
>dealing with high-volume traffic.
>
>
>> Date: Monday, February 01, 2016 22:07:45 +0100
>> From: Luca Toscano <toscano.luca@xxxxxxxxx>
>>
>> Hi George,
>>
>> I would also check mod_qos for your use case!
>>
>> Luca
>> Il 01 feb 2016 22:00, "George Genovezos"
>> <George.Genovezos@xxxxxxxxxx> ha scritto:
>>
>>> Richard,
>>>
>>> I would agree with you that a more elegant solution is required.
>>> Unfortunately the firewall will only block or allow a particular
>>> port.
>>>
>>> The correct solution would be to implement an IPS solution in
>>> front of a firewall, but where in the do more with less phase.
>>>
>>>
>>> George Genovezos
>>> Application Security Architect
>>> CISSP, ISSAP, CIFI
>>>
>>> Copart
>>> I--
>>>
>>> On 2/1/16, 2:27 PM, "Richard"
>>> <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>> >
>>> >
>>> >> Date: Monday, February 01, 2016 19:52:51 +0000
>>> >> From: George Genovezos <George.Genovezos@xxxxxxxxxx>
>>> >>
>>> >> Hi,
>>> >>
>>> >> I’m hoping someone can help with a problem I’m having. I
>>> >> need a basic Ddos  mitigation tool. Basically, either
>>> >> throttling back certain IP addresses or blocking access after
>>> >> too many connections per second.
>>> >>
>>> >> I know mod_evasive did this but the project, to my knowledge is
>>> >> deprecated.
>>> >>
>>> >> So to draw this out, I want a web server to count the number of
>>> >> connection per seconds, and if an IP breaches this limit to
>>> >> either throttle or block the connection. Then I want to use
>>> >> mod_proxy to reverse proxy that clean connection to my web
>>> >> servers.
>>> >>
>>> >> Any feedback would be greatly appreciated.
>>> >>
>>> >> George Genovezos
>>> >> Application Security Architect
>>> >> CISSP, ISSAP, CIFI
>>> >>
>>> >> Copart
>>> >
>>> > In my view, doing this at the web server is rather late in the
>>> > game. If I'm reading the mod_evasive documentation correctly,
>>> > all it (or something similar) does is stops serving content and
>>> > returns 403s. If your content is resource expensive to deliver
>>> > that will help some, but you're still going to get all the
>>> > requests hitting the web server and you're still going to be
>>> > responding to them.
>>> >
>>> > The better place to address this is at your system's firewall.
>>> > Depending on your system, you likely have firewall tools that
>>> > can provide a more robust solution.
>>> >
>>> >
>>> >
>>> > ---------------------------------------------------------------
>>> > ------ To unsubscribe, e-mail:
>>> > users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands,
>>> > e-mail: users-help@xxxxxxxxxxxxxxxx
>>> >
>>>
>
>------------ End Original Message ------------
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux