httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject Re: [users@httpd] How to fight a client causing DoS ?
Date Mon, 15 Aug 2005 14:20:56 GMT
Hash: SHA1

On Sat, 13 Aug 2005, Maxim Vexler wrote:
> Sean, thank you for the quick replay.
> Don't you think that a complete block on the client's IP is a too rush tactic?
> It's a legitimate user, his only fault was that he used this spidering
> tool, which had the side effect of DoS on the httpd daemon, I honestly
> don't think the client meant this to occur.

  iptables -A INPUT -s the_offending_address -p tcp -dport 80 -j REJECT

should take the load off of Apache without blocking other traffic.  The
offender should receive an indication that his access was not welcome.  A
sharper rebuke can be sent by adding '--reject-with icmp-host-prohibited'.

If you prefer to respond with stony silence:

  iptables -A INPUT -s the_offending_address -p tcp -dport 80 -j DROP

should cause the unwanted traffic to be discarded without other action.
This should make his spider hang for a noticeable amount of time while it
waits for a response (which will never come) to its SYN packet, and if the
offender is savvy he'll still figure out that you refuse to talk to the

You could also look at iptables --connrate or --limit or even --dstlimit
if you just want to slow him down.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 -


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message