On Sun, 4 Nov 2007 18:45:55 -0500 "Nilesh Bansal" <nileshbansal@xxxxxxxxx> wrote: > Hi all, > > I was wondering if httpd has some module that can be used for > protecting against malicious clients that send too-many requests at a > high rate. Sometimes, some clients (or robots), send too many requests > (e.g., 20 per second) to our application that operates with rather > limited resources. Is there a way that I can limit number-of-requests > per IP per second? Or even better, notify the system admin if someone > downloads over 1000 pages in less than a minute. 20 requests per second from one IP isn't necessarily abuse. Even if you don't have pages containing lots of images (thus asking clients to send multiple requests), you could be dealing with a proxy for huge numbers of users. Having said that, there are a number of third-party modules to do what you're asking. mod_evasive, for example, is designed for precisely that purpose. See modules.apache.org for others. There are other approaches you could consider if the real issue is a heavyweight application, so that 20/sec is hurting the server. For example, mod_load_average can be used to refuse to run the heavyweight app and return a "server busy" page instead when the load is too high. That way, static stuff will be unaffected by the heavy traffic. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|