httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard <lists-apa...@listmail.innovate.net>
Subject Re: [users@httpd] Re: throttling IP addresses
Date Tue, 02 Feb 2016 16:56:31 GMT
What works will depend on your OS, but you may want to look at
fail2ban:

  <http://www.fail2ban.org/wiki/index.php/Main_Page>


I think it should be able to do the OS-level firewall management
that you need.

[your external firewall sounds fairly lame.]


> Date: Tuesday, February 02, 2016 16:47:49 +0000
> From: George Genovezos <George.Genovezos@Copart.Com>
>
> Yes,
> 
> I am referring to an external firewall.
> 
> So the idea is to use the web server to proxy external traffic and
> place an IP hit counter, that would throttle a DDOS attack. Even
> with a unix firewall, we still need a way to identify the threat
> and update the firewall. Do you have any thoughts on that?
> 
> Thanks
> 
> 
> George Genovezos
> Application Security Architect
> CISSP, ISSAP, CIFI
> 
> Copart
> I-- 
> 
> 
> 
> 
> 
> 
> 
> On 2/1/16, 6:04 PM, "Richard" <lists-apache@listmail.innovate.net>
> wrote:
> 
>> Are you referring to a 3rd-party firewall in front of the machine
>> or the OS's firewall. Most *nix system (built-in) firewalls that
>> I've dealt with have a lot of granularity and capabilities. They
>> can certainly do an IP-specific (or range) blocks on one (or all)
>> ports and some can do the throttling for you. That's what I've
>> used when I've needed to deal with issues like yours. Changing a
>> web server response to a 403 doesn't have all that much effect if
>> you're dealing with high-volume traffic.
>> 
>> 
>>> Date: Monday, February 01, 2016 22:07:45 +0100
>>> From: Luca Toscano <toscano.luca@gmail.com>
>>> 
>>> Hi George,
>>> 
>>> I would also check mod_qos for your use case!
>>> 
>>> Luca
>>> Il 01 feb 2016 22:00, "George Genovezos"
>>> <George.Genovezos@copart.com> ha scritto:
>>> 
>>>> Richard,
>>>> 
>>>> I would agree with you that a more elegant solution is required.
>>>> Unfortunately the firewall will only block or allow a particular
>>>> port.
>>>> 
>>>> The correct solution would be to implement an IPS solution in
>>>> front of a firewall, but where in the do more with less phase.
>>>> 
>>>> 
>>>> George Genovezos
>>>> Application Security Architect
>>>> CISSP, ISSAP, CIFI
>>>> 
>>>> Copart
>>>> I--
>>>> 
>>>> On 2/1/16, 2:27 PM, "Richard"
>>>> <lists-apache@listmail.innovate.net> wrote:
>>>> 
>>>> > 
>>>> > 
>>>> >> Date: Monday, February 01, 2016 19:52:51 +0000
>>>> >> From: George Genovezos <George.Genovezos@Copart.Com>
>>>> >> 
>>>> >> Hi,
>>>> >> 
>>>> >> I’m hoping someone can help with a problem I’m having. I
>>>> >> need a basic Ddos  mitigation tool. Basically, either
>>>> >> throttling back certain IP addresses or blocking access after
>>>> >> too many connections per second.
>>>> >> 
>>>> >> I know mod_evasive did this but the project, to my knowledge
>>>> >> is deprecated.
>>>> >> 
>>>> >> So to draw this out, I want a web server to count the number
>>>> >> of connection per seconds, and if an IP breaches this limit
>>>> >> to either throttle or block the connection. Then I want to
>>>> >> use mod_proxy to reverse proxy that clean connection to my
>>>> >> web servers.
>>>> >> 
>>>> >> Any feedback would be greatly appreciated.
>>>> >> 
>>>> >> George Genovezos
>>>> >> Application Security Architect
>>>> >> CISSP, ISSAP, CIFI
>>>> >> 
>>>> >> Copart
>>>> > 
>>>> > In my view, doing this at the web server is rather late in the
>>>> > game. If I'm reading the mod_evasive documentation correctly,
>>>> > all it (or something similar) does is stops serving content
>>>> > and returns 403s. If your content is resource expensive to
>>>> > deliver that will help some, but you're still going to get
>>>> > all the requests hitting the web server and you're still
>>>> > going to be responding to them.
>>>> > 
>>>> > The better place to address this is at your system's firewall.
>>>> > Depending on your system, you likely have firewall tools that
>>>> > can provide a more robust solution.
>>>> > 
>>>> > 
>>>> > 
>>>> > -------------------------------------------------------------
>>>> > -- ------ To unsubscribe, e-mail:
>>>> > users-unsubscribe@httpd.apache.org For additional commands,
>>>> > e-mail: users-help@httpd.apache.org
>>>> > 
>>>> 
>> 
>> ------------ End Original Message ------------
>> 
>> 
>> 
>> -----------------------------------------------------------------
>> ---- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>> 
> 
> ------------------------------------------------------------------
> --- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For
> additional commands, e-mail: users-help@httpd.apache.org

------------ End Original Message ------------



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message