httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nerius Landys <>
Subject [users@httpd] Preventing DoS attacks from single client host
Date Sat, 03 Apr 2010 23:32:04 GMT
Hi guys.  I'm in the process of writing some custom server code that
uses TCP sockets.  This is totally unrelated to Apache and the HTTP
protocol (but please read on, I'll get there).  I have quite a bit of
experience writing server code that communicates with UDP, but I've
had relatively little experience with TCP.  One of my big concerns
whenever I write server code is the possibility of flooding the
service with requests (DoS attack).

I started thinking about TCP and what would happen when a typical
service such as httpd was flooded with many almost idle TCP
connections.  I happen to run a couple of dedicated server boxes in a
data center that host a few amateur websites (amateur in the sense
that it's a hobby and it is in no way making me a profit).  I starting
thinking about how Apache would handle a connection flood attack.

So I wrote a computer program that tries to flood a service with TCP
connections.  The program does the following.  It first determines
what data to send to a server (array of bytes), and where to send it
to (sendTo hostname and sendTo port).  In my case for purposes of
running this test, the data to send is specified as an HTTP request
that I assembled by hand (well actually I intercepted an actual HTTP
request and modified it slightly).  Another parameter the program
takes is now many simultaneous TCP connections to open to the sendTo
host.  The program creates that many threads, and each thread creates
a socket to the sendTo host.  Each thread starts sending the data at a
very low speed.  It sends some small number of bytes after random
amounts of sleep/delay time, and keeps sending the data until all data
is sent.  It then reads socket input until the end of the input
arrives (using "Connection: close" in my HTTP request).

So what I did was run my program with 100 threads (100 simultaneous
TCP connections) that connected to my Apache httpd server.  The
program sent a few hundered bytes worth of HTTP headers in each
connection during a timespan of about one minute.

The httpd server that I sent this data to is configured with
"MaxClients 80", and it's using a pretty standard configuration that
comes with apache22 from ports on FreeBSD.  I believe it's using
mpm_prefork_module because I get a separate process showing up in top
for each request that is serviced (in my test case I got 80 or so
processes showing up in top).

So, when I run the 100 thread program against my max-80-clients
server, and each of the 100 threads takes over one minute to send the
complete HTTP request header, my Apache httpd server becomes
unavailable to other incoming connections.  In other words, it's a DoS
attack originating from a single client host.

I'm wondering what methods are preferred for preventing this sort of
attack.  I'm wondering this for two reasons: 1) I want to secure my
websites and 2) I want to learn techniques that address this issue
because I'm writing my own TCP-oriented server software.

I have read this page:
It seems that the best suggestion learned there is to configure a
system-wide firewall which limits the number of concurrent TCP
connections from a single IP address to port 80.  Is this indeed a
good strategy to follow?  If so, what is a good number of maximum TCP
connections to allow concurrently from a single IP address to port 80?
 I know this depends on things such as my website, but I really just
want to get a ballpark figure and reasons for that figure.

I'm also wondering if there exist any other good strategies for
dealing with a DoS attack as described above, coming from a single
host.  I do have the cband_module enabled for one of my virtual hosts.
 I'm using the cband module for a particular website to limit the
number of concurrent connections from one IP address to 1.  Because of
this, it seems that I cannot place anything more than a simple HTML
page on that virtual host (if I add images to a page for example,
downloading them will fail).  That's OK, because that particular
website is only doing a very CPU-intensive number-crunching activity
for clients that connect.  I am hosting images that go on that page on
a different virtual host that does not have cband activated.  I
noticed that the cband module takes effect at a rather higher level
than just at the lowest level TCP connection.  It does not work quite
the way I would expect it to work (there are some race conditions
which allow multiple CPU-crunching requests to be processed from the
same IP address concurrently on my website).

Your thoughts are very much appreciated.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message