Re: How to prevent from simple DoS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This sounds like a serious issue and the links/hints I have seen
in this thread do not seem to acknowledge this fact.

If it's a single IP address, then you can block it with the tool of
your choice. That's obvious. But in a DDoS setting, your apache server
is as dead as the parrot in Monthy Python. And what's worse:
No logfile documenting the silent death. Just an impressive amount
of connections in netstat. You can try to nail the attacking
clients with mod_forensic, but it won't help you much.

http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
is a nice list of hints for general use, but regarding the attack
in question, it sounds like a collection of spare time activities
while you watch your server die.

Event mpm is fun, but it is of little use without ssl and ssl-sites
are particulary affected by this sort of attack.
AcceptFilter is very limited in scope. If you can fight an attacker,
who is using slow requests as mentioned, then this shows a serious
lack of fantasy on the side of the attacker. The same applies to
LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, etc.
Setting Timeout to a sane value helps a little, but even a timeout
of one seconds will leave you as an easy prey. Besides upgrading
to apache 2.2 seems a must, with the known timeout issues with cgi
script timeouts and proxying.
mod_evasive is regulary cited (Kew, Apache Modules Book, p. 110),
when it is no use as it lacks communication between the processes/threads. Let alone between webservers.
mod_cband looks dead, as mentioned here recently. It's no use anyways. In fact all these IP connection limiting attempts hardly work in the real world, where users share outgoing proxies and thus a single IP address.

Regarding application level DDoS attacks, Mirkovic/Dietrich et. al,
Internet DoS, p. 85, conclude : "... many defenses are not able to
help you defend against this kind of attack." Kew, Apache modules,
is more verbose, but the essence is more or less the same.

You can try to work with guardian log in mod_security, but it is still
very limited. But it's a start. Other strategies exist, but they are
generally weak. Maybe there is an optimal set with a combination of
these defenses, but I would not bet on it.

One of the better defenses I have seen is to use blacklists and whitelists on a firewall in front of the webserver. Think of good ways to feed these lists (See mod_forensic above, but it's only a start and I think it's a bad one). You are a lucky sysadmin, if you are able to use GeoIP, because your clients/customers stem from a clear geographic region. Chances are you are not so lucky.

Under the line: If you are facing this sort of attack, then you are
in serious trouble and there is little apache can do for you.


Yahoo! Answers - Get better answers from someone who knows. Try it now.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux