Evan Platt wrote:
At 12:59 PM 4/1/2009, you wrote:What is the best way to limit concurrent connections per IP to, say, 20?I'm having some problems with "connection storms" caused by bots harvesting websites.mod_limitipconn.c ? http://dominia.org/djao/limitipconn2.html
I can vouch for mod_limitipconn. I use it myself to block "broken" browsers that try to open too many simultaneous connections and fill up the apache connection slots. As a global option, I have the block limit set very high (70 connections). However, you can always be more aggressive if you see fit. A value of 20 or 30 (as you stated in another email) is pretty reasonable. The gotcha is that it could potentially block legitimate requests from different people if they are all behind the same NAT address (such as an office connection). That's one reason why I'm not too aggressive in my settings.
Going the iptables route would work too, but I think it would be much easier to just manage it strictly on the apache side.
-- Justin Pasher --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx