httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nerius Landys <nlan...@gmail.com>
Subject Re: [users@httpd] Re: Preventing DoS attacks from single client host
Date Sun, 04 Apr 2010 04:09:15 GMT
>    if (ip_count > conf->limit) {
>        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected,
> too many connections in READ state from %s", c->remote_ip);
>        return OK;
>    } else {
>        return DECLINED;
>    }

I figured out what OK and DECLINED mean.  In httpd.h:

#define DECLINED -1             /**< Module declines to handle */
#define DONE -2                 /**< Module has served the response
completely
                                 *  - it's safe to die() with no more
output
                                 */
#define OK 0                    /**< Module has handled this stage. */


In other words, by returning OK it's telling Apache that we're pretty
much done processing the request.  DECLINED means we didn't do
anything and some other module must handle this request.

I tried changing OK to DONE in the mod_antiloris code, thinking it may
close the connection and kill the child process sooner.  However,
regardless of returning OK or DONE when ip_count is greater than
conf->limit, the 80 child processes (corresponding to MaxClients 80)
linger on my system during the attack.  I can still DoS attack my
webserver from a single client.

Is there any way to prevent even forking a child process if the TCP
connection comes from an IP address for which there are already a
certain number of child processes?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message