httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nerius Landys <nlan...@gmail.com>
Subject Re: [users@httpd] Re: Preventing DoS attacks from single client host
Date Tue, 06 Apr 2010 17:26:40 GMT
>
> You using iptables?  What rules did you end up using to accomplish this?
>

Using OpenBSD's Packet Filter.  It's not perfect; I have to set the
connection limit quite high (at 36) because the connection state stays
in the firewall for about a minute even during the FIN_WAIT_2 stage.
Here are my rules from pf.conf:


set optimization aggressive
ext_if = "em0"
# This will allow Slowloris attack from localhost, but that's OK.
pass in on $ext_if proto tcp from any to any port = http flags S/SA \
  synproxy state (source-track rule, max-src-conn 36, if-bound)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message