httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Checkin for timeout?
Date Thu, 28 Apr 2005 20:24:03 GMT

Ivan Barrera A. wrote:

>>So run the mod_status data and count connections per IP address.  This
>>will be way more reliable than any network-performance criteria, IMHO.

There is already a module for this called mod_limitipcon. I did some improvements
to it for myself and it works now nice. Of course it has its architectural drawbacks:

1. It does not work on distributed attacks.
2. Malicious users behind a proxy can lock out all other users behind this proxy.
3. It must be configured carefully on big sites to avoid locking out legitimate users.

> And then, just make the DoS distributed. You can fill the connections
> again, without being the same, and taking forever to release a child.
> Anyways, we can keep discussing that forever.
> (And this is in the most polite way), my question wasn't about the
> better way of detecting a DoS... i just want to know where should i put
> a timeout cheking code. If it is possible to use a kind of filter, or
> just major tweaking of apache source is needed.

I know that you hate further tips on doing this differently, but I would propose to
simply lower the value of Timeout and KeepAliveTimeout to 3 seconds.
Even if it would be possible to write a filter which does this job (which I doubt) you
would have to define some kind of "Timeout" after that you regard a connection as malicious.
But from a quick view in the code I assume that you would need to improve the logging
in cases of HTTP_REQUEST_TIME_OUT and aborted connections such that you can use it for your
firewall to lock out these IP's.




View raw message