httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kanstantin Reznichak" <k.reznic...@pcpin.com>
Subject RE: [users@httpd] Connection flood: how to protect?
Date Tue, 14 Apr 2009 17:31:03 GMT
Hello,

Thank you for reply. Unfortunately, mod-limitipconn seems to act too late.
After installing and enabling it:
<Location />
  MaxConnPerIP 15
</Location>

Netstat shows:
# netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3930      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3316      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4147      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3854      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1500      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3931      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):2325      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1652      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1499      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1710      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1125      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1913      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):2445      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3929      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1119      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4602      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3518      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1529      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1551      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1502      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3122      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1311      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3529      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3856      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4714      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1680      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3286      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1120      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1651      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3123      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4329      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):2285      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):2488      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1653      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1296      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4709      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1530      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3747      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4438      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4445      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3907      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3124      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1597      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):2318      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1497      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):2333      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1179      SYN_RECV
tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1707      SYN_RECV
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4309      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3897      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3969      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1292      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4315      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2121      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1314      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3082      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1923      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2719      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4075      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4323      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3533      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3579      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4284      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4112      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3270      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2469      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2468      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4588      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1088      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1897      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3694      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1900      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3649      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2047      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1090      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1315      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1490      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4310      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1130      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1130      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4079      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1093      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4080      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1094      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1049      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1908      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4078      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4705      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3342      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3087      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2920      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):4340      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3268      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1091      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3269      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1898      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):3784      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1097      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):2476      LAST_ACK
tcp        0      1 (MY-SERVER-IP):80       (ATTACKER-IP):1899      LAST_ACK

The server does not respond to HTTP anymore...




-----Ursprüngliche Nachricht-----
Von: Justin Pasher [mailto:justinp@newmediagateway.com] 
Gesendet: Montag, 13. April 2009 22:47
An: users@httpd.apache.org
Cc: k.reznichak@pcpin.com
Betreff: Re: [users@httpd] Connection flood: how to protect?

Kanstantin Reznichak wrote:
>
> Hello,
>
> One of my servers was affected by TCP flood attack targeted to http 
> service (Apache 2.2.8). Short attack description: an attacker opens 
> large amount of TCP connections to Apache service and sends few bytes 
> (for example, a single “GET / HTTP/1.1” line) to every opened 
> connection. The HTTP service opens a new process for every such 
> connection and waits for further input. After a short time, HTTPd runs 
> out of connection limit and stops responding.
>
> Some of my servers are protected by state tracking firewall that 
> protects them against such kind of attack.
>
> My question: is there possible to configure Apache HTTPd in order to 
> protect it against these attacks?
>

Check out mod_limitipconn. You can restrict the number of simultaneous 
connections from individual IP addresses.

http://dominia.org/djao/limitipconn.html


-- 
Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message