httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: [users@httpd] Protection against impolite bots
Date Sun, 04 Nov 2007 23:55:16 GMT
On Sun, 4 Nov 2007 18:45:55 -0500
"Nilesh Bansal" <> wrote:

> Hi all,
> I was wondering if httpd has some module that can be used for
> protecting against malicious clients that send too-many requests at a
> high rate. Sometimes, some clients (or robots), send too many requests
> (e.g., 20 per second) to our application that operates with rather
> limited resources. Is there a way that I can limit number-of-requests
> per IP per second? Or even better, notify the system admin if someone
> downloads over 1000 pages in less than a minute.

20 requests per second from one IP isn't necessarily abuse.  Even if
you don't have pages containing lots of images (thus asking clients
to send multiple requests), you could be dealing with a proxy for
huge numbers of users.

Having said that, there are a number of third-party modules to do
what you're asking.  mod_evasive, for example, is designed for
precisely that purpose.  See for others.

There are other approaches you could consider if the real issue
is a heavyweight application, so that 20/sec is hurting the server.
For example, mod_load_average can be used to refuse to run the
heavyweight app and return a "server busy" page instead when the
load is too high.  That way, static stuff will be unaffected by
the heavy traffic.

Nick Kew

Application Development with Apache - the Apache Modules Book

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message