Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of
 rudi.feijo@multidadosti.com.br designates 200.169.101.157 as permitted
 sender)
From: =?iso-8859-1?Q?Rudi_Feij=F3?= <rudi.feijo@multidadosti.com.br>
To: <users@httpd.apache.org>
Date: Tue, 21 Jan 2014 16:25:14 -0200
Message-ID: <005001cf16d6$20c75320$6255f960$@multidadosti.com.br>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Index: Ac8W1O5dMjJPuIx1T/6+QVZBRkGWdw==
Content-Language: pt-br
Subject: [users@httpd] Security challenge,
 rejecting specific requests without blocking IP

Hello

I have been trying to solve a big problem for the last 2 weeks with one of
our servers (apache 2.2 , windows, php). 

The client using our system is a contact center firm. 
They have about 120 operators, all connect to our websever with the same IP=
,
their outgoing IP.

We have been suffering DoS attacks from some of these operators. 
These are simple, browser attacks , namely 5 or 10 operators will just hold=

F5 key and bombard the server with requests when they shouldnt.

There is very little we can do to improve performance of these specific
url's the attackers are using. This is a software, not a public portal, so =
a
lot of screens have a good amount of processing and real time querying in
them.

We did manage to produce a php protection which will recognize the multiple=

requests and blacklist the user.
We use the user ID in the system to control who should be blacklisted, so
this is all dependent on our own authentication.
It works like this :
- user logs in our software, we write his ID in a cookie
- a control file is created using that ID as the unique key
- from there we control if he's hitting the same url repeatedly, if the
cookie exists
- after x requests on the same url, the script will die, and a message will=

be displayed.
- the control cookie is erased when the users logoff or after a 24 hours
lifetime

This works to some extent, but it=92s a little "too late" since the request=

have already been sent and processed by the webserver. 
Even after trimming down the request to a bare minimum, its still a php
request that will be enqueued and normally processed by the handler. 
So, the attackers now have to "hold F5" for a much longer time, but they ar=
e
still keen to doing it anyhow.


Ideally, we need something EXACTLY like mod_evasive, but for rejecting
single requests instead of blocking the IP. 
Exemplifying : if a user calls the same url, 5 times, in a 3 second spawn,
we will reject every next request for 30 seconds, but only the requests by
that user.


Also, we can only work with apache on windows so far, but linux only
solutions are also of interest if there are any.

Any help, suggestion or idea how to brain storm this issue is greatly
appreciated. 


---
Este email est=E1 limpo de v=EDrus e malwares porque a prote=E7=E3o do avas=
t! Antiv=EDrus est=E1 ativa.
http://www.avast.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org