Re: [users@httpd] need help fighting DoS attack on Apache

"Sergey Tsalkov" <flightsimguy@xxxxxxxxx> · Mon, 7 Aug 2006 18:04:35 +0000

Stephanie,
Y'know, it's weird that such a technically simple attack still has no
commonly implemented defenses. I would venture to say that you can
knock out the majority of webservers on the Internet today with a very
small shell script that telnets to it a bunch of times on port 80 and
leaves those connections open until they time out. For some reason,
the kernel doesn't notify Apache of a new connection's IP address
until some data is sent through that connection. The evidence of this
is the "?" in the server-status field that would normally display the
connection's IP, as well as the fact that Apache connection limiting
modules don't seem to block these connections, even when configured to
restrict the server to 1 connection per IP. By just opening a bunch of
connections and not sending any data through them, you can do an
effective DoS.

The most effective solution is an iptables addon called connlimit.
Assuming your linux distro doesn't include connlimit (most don't),
you'll have to recompile your kernel to add it in. It lets you
restrict the number of connections coming in from the same IP, so if
the attacker is coming from a single IP and this isn't a DDoS style
attack, you can block it pretty effectively with an iptables rule to
limit it to, say, 10 simultaneous connections per IP. Check this site
for more: http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-connlimit

By the way, upgrading to Apache 2.0 doesn't automatically fix this
issue. Apache 2's worker MPM can certainly be configured to handle
many more simultaneous connections than Apache 1 is capable of, but
that just raises the number of simultaneous connections that an
attacker must initiate to DoS your server and doesn't address the
underlying problem. Also, the worker MPM creates some serious problems
with PHP. On Apache 2.2, the new AcceptFilter directive was added,
probably to solve this very problem. It prevents Apache from being
notified of a new socket until some data has been sent through it,
meaning Apache will be immediately aware of the socket's source IP
address. However, it relies on some kernel-level socket features, and
only works with Linux and FreeBSD. I suspect that it will solve the
problem, but you'll have to wait for connection limiting modules (such
as mod_ip_count, or others) to be made available for Apache 2.2. So
far, I'm guessing that they only work with 2.0, but don't quote me on
that.

You can also experiment with the TimeOut directive. It's what you were
asking for, a way to limit how long the server waits for data before
dropping the connection. The default is 300.. try lowering it to
something like 5 or 10 and see what happens. This will make it more
difficult (though not impossible) to DoS your server in this manner,
but might also make life more difficult for some dialup users on
especially slow connections.

Finally, you could write a script to check your logfiles every few
minutes looking for the line that gives it away:
87.10.176.44 - - [28/May/2006:17:26:24 +0000] "-" 408 - "-" "-"
The source IP is logged, so the script could automatically add an
iptables rule to drop it. Such a script would have to run as root,
though.

I realize that what I've got here are some half-baked attempts at
solutions, combined with a few good ones that are difficult to
implement. It's all I could come up with, and hopefully some of it
will be useful. I'm also sending this email to apache's mailing list..
hopefully others know something I don't.

Sergey

On 8/7/06, Stephanie Belton <steph@xxxxxxxxx> wrote: