httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From graham <gra...@theseamans.net>
Subject Re: [users@httpd] limiting connections per ip address in apache2 when under attack
Date Thu, 21 Jun 2007 14:22:57 GMT
Unfortunately connlimit is missing from both debian and ubuntu at the 
moment:

https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.20/+bug/60439/+activity

Shame, it looked like that was going to be such a neat way to fix the 
problem...

Graham

Hamilton Vera wrote:
> It is just a target name
> 
> $IPTABLES -N logdropdos
> $IPTABLES -A logdropdos -j LOG --log-level INFO --log-prefix "[logdropdos]"
> $IPTABLES -A logdropdos -j DROP
> 
> Just to make easier the log analisys, you can also use
>  "-j DROP"   instead.
> 
> 
> 
> Hamilton Vera
> int Administrator (char Network[],char ComputationalSystems[]);
> http://antispam.br/
> "Google is my shepherd, no want shall I know"
> 
> On Thu, 21 Jun 2007, graham wrote:
> 
>> Hamilton Vera wrote:
>>> You can try to use iptables, to limit the number of TCP connections
>>>
>>> $IPTABLES -A INPUT -p TCP -i $WAN -s 0/0 --syn --dport 80 -m 
>>> connlimit --connlimit-above 10 -j logdropdos
>>>
>>
>> Sounds good. What's the 'logdropdos'? I don't seem to have it, and 
>> google gives me nothing. Is there a reason not just to use 'REJECT'?
>>
>> Thanks
>> Graham
>>
>>
>>> Or implement a Freebsd firewall with QoS, applying shapes to parallel 
>>> TCP connections.
>>>
>>> I hope this help.
>>>
>>>
>>> On Thu, 21 Jun 2007, graham wrote:
>>>
>>>> Hi,
>>>>
>>>> I've just become involved with a system running apache2.0.55 on 
>>>> ubuntu with linux 2.6.17.
>>>>
>>>> The system is currently unable to run due to repeated downloads of a 
>>>> large number of pdfs by systems located in China. These are hogging 
>>>> all sockets and eventually causing apache to die (I'm appending more 
>>>> details below in case I've got the wrong end of the stick). The ip 
>>>> address of these systems varies; they are not a single block, 
>>>> although they are obviously working together (different ip addresses 
>>>> will ask for sequentially related pdfs). Each ip address will 
>>>> request multiple files in parallel.
>>>>
>>>> I'm told that the limit_ipconn module would solve my problem by 
>>>> limiting the simultaneous accesses from any one ip address. There is 
>>>> no version of this available for apache2 on ubuntu. I'm wondering if 
>>>> this is because similar abilities have been built into apache2 
>>>> itself, but haven't managed to find any.
>>>>
>>>> Does anyone have any suggestions?
>>>>
>>>> Thanks
>>>> Graham
>>>> -----------------------------------------------
>>>> Notes from log:
>>>>
>>>> The system is running ok, not at particularly heavy load (<1.0), and 
>>>> apache is apparently running ok and not reporting errors [corrected 
>>>> later].
>>>>
>>>> Tailing the apache log file shows that the only accesses to the 
>>>> system are GETs of pdfs from two chinese systems, 218.4.152.91 and 
>>>> 222.218.254.221, which are obviously running the same software.
>>>>
>>>> These systems are trying to systematically work their way through 
>>>> downloading all chinese pdfs. When a pdf is too large and the 
>>>> download times out, they immediately try again (at any one moment 
>>>> each system is trying to download 3 or 4 pdfs).
>>>>
>>>> If I restart apache, I immediately get accesses from all over the 
>>>> place, including the 2 chinese systems. Eventually the Chinese 
>>>> accesses capture all the apache processes, and nothing else can get 
>>>> access.
>>>>
>>>> 'Solution' found for this: turn apache off for a few minutes. The 
>>>> chinese systems went away, and all was fine again.
>>>>
>>>> One hour later ΒΆ
>>>>
>>>> The chinese systems, and the problems, returned. A little more data 
>>>> this time.
>>>>
>>>> Once the chinese systems are established, netstat shows that they 
>>>> occupy most sockets but are mostly in CLOSE_WAIT state. All other 
>>>> requests are stuck in SYNC_RECV.
>>>>
>>>> After this continues for a while the apache processes gradually 
>>>> start to die off with the following sequence:
>>>>
>>>> alert] (11): setuid: unable to change to uid: 33 (33 is www-data)
>>>>
>>>> [alert] Child 691 returned a Fatal error... Apache is exiting!
>>>>
>>>> [emerg] (43): couldn't grab the accept mutex
>>>>
>>>> semop: Invalid argument
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server 
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server 
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
> 
> ------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message