httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kanstantin Reznichak" <k.reznic...@pcpin.com>
Subject AW: [users@httpd] Connection flood: how to protect?
Date Tue, 14 Apr 2009 21:33:24 GMT
Yes, that's it. My current experience with Linux iptables was not enough for
define reliable rules against synflood'ing. All my other servers are either
OpenBSD itself or located behind OpenBSD's PF which provides effective
flooding protection.

The problem was solved by adding appropriate rules to iptables based on
following tutorial: http://www.debian-administration.org/articles/187

I have also followed your advice and increased Apache connection limits.

Thank you!

-----Urspr√ľngliche Nachricht-----
Von: Sean Conner [mailto:spc@conman.org] 
Gesendet: Dienstag, 14. April 2009 22:14
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Connection flood: how to protect?

It was thus said that the Great Kanstantin Reznichak once stated:
> Hello,
> 
> Thank you for reply. Unfortunately, mod-limitipconn seems to act too late.
> After installing and enabling it:
> <Location />
>   MaxConnPerIP 15
> </Location>
> 
> Netstat shows:
> # netstat -atn
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3930
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3316
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):4147
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):3854
SYN_RECV
> tcp        0      0 (MY-SERVER-IP):80       (ATTACKER-IP):1500
SYN_RECV

  That's a SYN flood, and I've been on the receiving end of those, and I've
wrote about what I did to reduce the problem under Linux.

	http://boston.conman.org/2005/08/11.2 (summary of the link below)
	http://boston.conman.org/2004/01/04.2

  Hopefully, some of that is helpful to you.

  -spc


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message