Hello, Thank you for reply. Unfortunately, mod-limitipconn seems to act too late. After installing and enabling it: <Location /> MaxConnPerIP 15 </Location> Netstat shows: # netstat -atn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3930 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3316 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4147 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3854 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1500 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3931 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):2325 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1652 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1499 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1710 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1125 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1913 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):2445 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3929 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1119 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4602 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3518 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1529 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1551 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1502 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3122 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1311 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3529 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3856 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4714 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1680 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3286 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1120 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1651 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3123 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4329 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):2285 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):2488 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1653 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1296 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4709 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1530 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3747 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4438 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4445 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3907 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3124 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1597 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):2318 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1497 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):2333 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1179 SYN_RECV tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1707 SYN_RECV tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4309 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3897 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3969 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1292 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4315 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2121 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1314 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3082 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1923 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2719 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4075 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4323 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3533 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3579 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4284 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4112 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3270 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2469 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2468 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4588 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1088 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1897 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3694 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1900 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3649 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2047 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1090 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1315 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1490 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4310 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1130 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1130 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4079 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1093 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4080 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1094 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1049 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1908 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4078 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4705 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3342 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3087 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2920 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):4340 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3268 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1091 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3269 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1898 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):3784 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1097 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):2476 LAST_ACK tcp 0 1 (MY-SERVER-IP):80 (ATTACKER-IP):1899 LAST_ACK The server does not respond to HTTP anymore... -----Ursprüngliche Nachricht----- Von: Justin Pasher [mailto:justinp@xxxxxxxxxxxxxxxxxxx] Gesendet: Montag, 13. April 2009 22:47 An: users@xxxxxxxxxxxxxxxx Cc: k.reznichak@xxxxxxxxx Betreff: Re: Connection flood: how to protect? Kanstantin Reznichak wrote: > > Hello, > > One of my servers was affected by TCP flood attack targeted to http > service (Apache 2.2.8). Short attack description: an attacker opens > large amount of TCP connections to Apache service and sends few bytes > (for example, a single ?GET / HTTP/1.1? line) to every opened > connection. The HTTP service opens a new process for every such > connection and waits for further input. After a short time, HTTPd runs > out of connection limit and stops responding. > > Some of my servers are protected by state tracking firewall that > protects them against such kind of attack. > > My question: is there possible to configure Apache HTTPd in order to > protect it against these attacks? > Check out mod_limitipconn. You can restrict the number of simultaneous connections from individual IP addresses. http://dominia.org/djao/limitipconn.html -- Justin Pasher --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|