Re: Pattern matching odd HTTP request

[Bill McGonigle <mcgonigle () medicalmedia com>]

Thanks for all your work on this one, Karsten, and I hope you had a good 
nap. :)

mod_throttle looks like it will stop a DOS from one client effectively, 
though the configuration is a bit complex for just that use of it.  I 
plan to implement it for that.  It doesn't appear to be useful though 
for the type of DDOS that seems to be brewing (which I hope fizzles and 
dies).

The traffic pattern I was seeing (one request every 1.5 minutes) means 
it would take 45 attackers to tie up a stock Apache indefinitely.  If 
this was implemented as a nimda-like worm, using random IP scanning, and 
it attacked as found servers, I think there would be a pretty good 
chance of defending against it (firewall the ip if there are n number of 
timeouts in a time period).  If it did discovery first, though, and kept 
a cache (I'm not going to throw a flag on someone looking for my 
/index.html) then attacked at a predetermined time I can't think of a 
way to defend against it with a per-IP configuration.  I'd probably 
never set my per-IP limit below 5, and this would use 3.33 connections 
per IP.

If, however, Apache had a limit on 'barely-open connections' with some 
sort of timeout function, I think that would help.  For instance, it 
might look like:

BarelyOpenConnectionTimeout 10
BarelyOpenConnectionLimit 50

Such that if there were 50 connections open that hadn't sent a request 
for 10 seconds, it would stop dropping them in a FIFO manner.

I mostly hack on higher-level modules in mod_perl, so I don't know 
enough about apache internals to speak to the feasibility of such a 
function.

-Bill