httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Ignatchenko <ipsign...@yahoo.com>
Subject DDOS protection features request
Date Fri, 07 Nov 2003 00:12:11 GMT
There exists (and I know of several instances when 
it was successfully used) a trivial kind of DDOS 
attack that seems to be quite poorly handled by 
Apache:
if multiple clients just create TCP connections 
to port 80 and do not send anything over those
connections, it will take TimeOut (300 sec by 
default) to drop such a connection. So, it 
becomes trivial to fill all 256 slots (default 
MaxClients for prefork MPM) and even thousands 
of slots for worker MPM, therefore effectively 
preventing legitimate users from requesting data. 

Two features IMO would help (sorry, if they were 
already recently added - pls refer me to appropriate 
directives then): 
- split TimeOut directive into several (which is
already planned according to Apache docs: 
http://httpd.apache.org/docs-2.0/mod/core.html#timeout).

To deal with such an attack, it is necessary to reduce

"The total amount of time it takes to receive a GET 
request." to several seconds, but unfortunately 
reducing current TimeOut value to several seconds 
will have all kinds of ill effects, including 
effective inability to serve relatively big files
(1M+). 
- implementing restriction on number of connections 
from single source IP (something similar to mod_conn 
that existed for Apache 1.3). Note: I have no idea 
how mod_conn was implemented, but to deal with 
the attack, IP session limit check must be 
performed _before_ GET request completed. 

Thx in advance


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Mime
View raw message