httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Testuser <toximoron...@yahoo.co.uk>
Subject Re: [users@httpd] How to prevent from simple DoS?
Date Wed, 21 Nov 2007 18:09:58 GMT
This sounds like a serious issue and the links/hints I have seen 
in this thread do not seem to acknowledge this fact.

If it's a single IP address, then you can block it with the tool of 
your choice. That's obvious. But in a DDoS setting, your apache server 
is as dead as the parrot in Monthy Python. And what's worse:
No logfile documenting the silent death. Just an impressive amount 
of connections in netstat. You can try to nail the attacking
clients with mod_forensic, but it won't help you much.

http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
is a nice list of hints for general use, but regarding the attack 
in question, it sounds like a collection of spare time activities 
while you watch your server die.

Event mpm is fun, but it is of little use without ssl and ssl-sites
are particulary affected by this sort of attack.
AcceptFilter is very limited in scope. If you can fight an attacker,
who is using slow requests as mentioned, then this shows a serious 
lack of fantasy on the side of the attacker. The same applies to
LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, etc.
Setting Timeout to a sane value helps a little, but even a timeout
of one seconds will leave you as an easy prey. Besides upgrading
to apache 2.2 seems a must, with the known timeout issues with cgi
script timeouts and proxying.
mod_evasive is regulary cited (Kew, Apache Modules Book, p. 110), 
when it is no use as it lacks communication between the processes/threads. Let alone between
webservers.
mod_cband looks dead, as mentioned here recently. It's no use anyways. In fact all these IP
connection limiting attempts hardly work in the real world, where users share outgoing proxies
and thus a single IP address.

Regarding application level DDoS attacks, Mirkovic/Dietrich et. al, 
Internet DoS, p. 85, conclude : "... many defenses are not able to
help you defend against this kind of attack." Kew, Apache modules,
is more verbose, but the essence is more or less the same. 

You can try to work with guardian log in mod_security, but it is still
very limited. But it's a start. Other strategies exist, but they are 
generally weak. Maybe there is an optimal set with a combination of 
these defenses, but I would not bet on it.

One of the better defenses I have seen is to use blacklists and whitelists on a firewall in
front of the webserver. Think of good ways to feed these lists (See mod_forensic above, but
it's only a start and I think it's a bad one). You are a lucky sysadmin, if you are able to
use GeoIP, because your clients/customers stem from a clear geographic region. Chances are
you are not so lucky.

Under the line: If you are facing this sort of attack, then you are
in serious trouble and there is little apache can do for you.


       
---------------------------------
 Yahoo! Answers - Get better answers from someone who knows. Tryit now.
Mime
View raw message