AW: Connection flood: how to protect?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yes, that's it. My current experience with Linux iptables was not enough for
define reliable rules against synflood'ing. All my other servers are either
OpenBSD itself or located behind OpenBSD's PF which provides effective
flooding protection.

The problem was solved by adding appropriate rules to iptables based on
following tutorial: http://www.debian-administration.org/articles/187

I have also followed your advice and increased Apache connection limits.

Thank you!

-----Ursprüngliche Nachricht-----
Von: Sean Conner [mailto:spc@xxxxxxxxxx] 
Gesendet: Dienstag, 14. April 2009 22:14
An: users@xxxxxxxxxxxxxxxx
Betreff: Re:  Connection flood: how to protect?

It was thus said that the Great Kanstantin Reznichak once stated:
> Hello,
> 
> Thank you for reply. Unfortunately, mod-limitipconn seems to act too late.
> After installing and enabling it:
> <Location />
>   MaxConnPerIP 15
> </Location>
> 
> Netstat shows:
> # netstat -atn
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3930
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3316
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4147
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3854
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1500
SYN_RECV

  That's a SYN flood, and I've been on the receiving end of those, and I've
wrote about what I did to reduce the problem under Linux.

	http://boston.conman.org/2005/08/11.2 (summary of the link below)
	http://boston.conman.org/2004/01/04.2

  Hopefully, some of that is helpful to you.

  -spc


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux