AW: [users@httpd] need help fighting DoS attack on Apache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Sergey,

mod_evasive could be a module for you in this case. 

"Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
    * Requesting the same page more than a few times per second
    * Making more than 50 concurrent requests on the same child per second
    * Making any requests while temporarily blacklisted (on a blocking list) "

Is is running on 1.3 oder 2.x
http://www.nuclearelephant.com/projects/mod_evasive/

Greetings

Oliver


-----Ursprüngliche Nachricht-----
Von: Sergey Tsalkov [mailto:flightsimguy@xxxxxxxxx]
Gesendet: So 28.05.2006 19:50
An: users@xxxxxxxxxxxxxxxx
Betreff: [users@httpd] need help fighting DoS attack on Apache
 
Hey guys.. My Apache was hit with a DoS attack, where the attacker was
opening connections to the server and not sending any data. It quickly
reached the MaxClients limit and prevented any further connections to
the server.

The Server Status was filled with lines like this:
7-2	4039	0/8/8	R 	0.01	3	25	0.0	0.01	0.01 	?	?	..reading..

and the apache log with lines like this:
87.10.176.44 - - [28/May/2006:17:26:24 +0000] "-" 408 - "-" "-"

For some reason, Apache isn't listing the IP of the connection in
Server Status until that connection actually makes a request. Anyone
know why?

Anyways, I tried mod_choke's functionality for limiting multiple
connections from the same IP. That didn't help.. I suspect mod_choke
doesn't activate until a request is received through the connection,
so this script can dodge it by opening connections, not requesting
anything, and keeping them open until they time out. mod_evasive was
similarly unhelpful.

I managed to stop the attack by setting IP bans at the firewall, but
that doesn't actually solve the core problem.

Anyone have any suggestions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

<<winmail.dat>>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux