Hey guys.. My Apache was hit with a DoS attack, where the attacker was opening connections to the server and not sending any data. It quickly reached the MaxClients limit and prevented any further connections to the server. The Server Status was filled with lines like this: 7-2 4039 0/8/8 R 0.01 3 25 0.0 0.01 0.01 ? ? ..reading.. ..and the apache log with lines like this: 87.10.176.44 - - [28/May/2006:17:26:24 +0000] "-" 408 - "-" "-" For some reason, Apache isn't listing the IP of the connection in Server Status until that connection actually makes a request. Anyone know why? Anyways, I tried mod_choke's functionality for limiting multiple connections from the same IP. That didn't help.. I suspect mod_choke doesn't activate until a request is received through the connection, so this script can dodge it by opening connections, not requesting anything, and keeping them open until they time out. mod_evasive was similarly unhelpful. I managed to stop the attack by setting IP bans at the firewall, but that doesn't actually solve the core problem. Anyone have any suggestions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|