Home page logo

nanog logo nanog mailing list archives

Re: Pattern matching odd HTTP request
From: Bill McGonigle <mcgonigle () medicalmedia com>
Date: Thu, 20 Sep 2001 09:32:50 -0400

Thanks for all your work on this one, Karsten, and I hope you had a good nap. :)

mod_throttle looks like it will stop a DOS from one client effectively, though the configuration is a bit complex for just that use of it. I plan to implement it for that. It doesn't appear to be useful though for the type of DDOS that seems to be brewing (which I hope fizzles and dies).

The traffic pattern I was seeing (one request every 1.5 minutes) means it would take 45 attackers to tie up a stock Apache indefinitely. If this was implemented as a nimda-like worm, using random IP scanning, and it attacked as found servers, I think there would be a pretty good chance of defending against it (firewall the ip if there are n number of timeouts in a time period). If it did discovery first, though, and kept a cache (I'm not going to throw a flag on someone looking for my /index.html) then attacked at a predetermined time I can't think of a way to defend against it with a per-IP configuration. I'd probably never set my per-IP limit below 5, and this would use 3.33 connections per IP.

If, however, Apache had a limit on 'barely-open connections' with some sort of timeout function, I think that would help. For instance, it might look like:

BarelyOpenConnectionTimeout 10
BarelyOpenConnectionLimit 50

Such that if there were 50 connections open that hadn't sent a request for 10 seconds, it would stop dropping them in a FIFO manner.

I mostly hack on higher-level modules in mod_perl, so I don't know enough about apache internals to speak to the feasibility of such a function.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]