httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Gifford <sgiff...@suspectclass.com>
Subject Re: [users@httpd] Mitigating DDoS attack
Date Wed, 10 Nov 2004 18:08:38 GMT
"James Richardson" <james.richardson@db.com> writes:

> Assuming that you have ipfilter, or ipchains, or some other firewall
> software running, it should be fairly trivial to stop connections from
> infected machines, however this will be on _your_ side of the connection,
> this still using up your bandwidth.

We do, it's running on RedHat Enterprise Linux with kernel 2.4.7-10, I
should have said.

> This might not actually work, as I've never done this, but intuitively I
> would:
>
> 1) set up a log rule so that requests for this only end up in one logger
> 2) write a perl script to act as log script, that simply writes out new ip
> addresses received to a new log file.
> 3) use this new log file as input to your firewall, rerunning every five
> minutes or so....

Good idea, thanks.

> 4) use the "drop packet" type of blocking, which will tie up the sending
> machine for longer than a "reset", as it will have to wait for the syn/ack
> timeout period before continuing. Also sending the rst will consume your
> bandwidth!

Do you think it would take less bandwidth to drop the packet and
endure all of the SYN retries, or just send the RST?  Assuming that
the worm respects RST, which may not be the case...

I was hoping for something I could use in a RewriteRule to cause the
connection to be dropped, something like:

        RewriteRule ^/g\.jpg$  / [reset]

but there doesn't seem to be a way to do this.

Also, further investigation shows that it's probably not bandwidth
limits we're hitting, but MaxClients.  So a firewall might actually
help a lot, if we could stop the connection from ever becoming open
from Apache's viewpoint.  I think that with SynCookies enabled (which
I've just done) and a content filter that stops packets to port 80
with a data payload matching:

    ^GET /g\.jpg

we might be able to accomplish that.

Thanks!

----ScottG.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message