Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1C9D918894 for ; Tue, 2 Feb 2016 16:57:31 +0000 (UTC) Received: (qmail 93082 invoked by uid 500); 2 Feb 2016 16:56:55 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 93042 invoked by uid 500); 2 Feb 2016 16:56:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 93032 invoked by uid 99); 2 Feb 2016 16:56:55 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Feb 2016 16:56:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id BD79418051D for ; Tue, 2 Feb 2016 16:56:54 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.801 X-Spam-Level: * X-Spam-Status: No, score=1.801 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id HlTOsZmCdXNh for ; Tue, 2 Feb 2016 16:56:44 +0000 (UTC) Received: from smtp93.iad3a.emailsrvr.com (smtp93.iad3a.emailsrvr.com [173.203.187.93]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 465EA25E93 for ; Tue, 2 Feb 2016 16:56:44 +0000 (UTC) Received: from smtp12.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp12.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 52A9C380381 for ; Tue, 2 Feb 2016 11:56:37 -0500 (EST) X-Auth-ID: smtp@innovate.net Received: by smtp12.relay.iad3a.emailsrvr.com (Authenticated sender: smtp-AT-innovate.net) with ESMTPSA id 3CAB83806BA for ; Tue, 2 Feb 2016 11:56:37 -0500 (EST) X-Sender-Id: smtp@innovate.net Received: from [192.168.1.35] (c-73-213-121-195.hsd1.dc.comcast.net [73.213.121.195]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.5.4); Tue, 02 Feb 2016 11:56:37 -0500 Date: Tue, 02 Feb 2016 16:56:31 +0000 From: Richard To: users@httpd.apache.org Message-ID: <855200E749DD6D26BF6D5E3A@ritz.innovate.net> In-Reply-To: References: X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: [users@httpd] Re: throttling IP addresses What works will depend on your OS, but you may want to look at fail2ban: I think it should be able to do the OS-level firewall management that you need. [your external firewall sounds fairly lame.] > Date: Tuesday, February 02, 2016 16:47:49 +0000 > From: George Genovezos > > Yes, >=20 > I am referring to an external firewall. >=20 > So the idea is to use the web server to proxy external traffic and > place an IP hit counter, that would throttle a DDOS attack. Even > with a unix firewall, we still need a way to identify the threat > and update the firewall. Do you have any thoughts on that? >=20 > Thanks >=20 >=20 > George Genovezos > Application Security Architect > CISSP, ISSAP, CIFI >=20 > Copart > I--=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > On 2/1/16, 6:04 PM, "Richard" > wrote: >=20 >> Are you referring to a 3rd-party firewall in front of the machine >> or the OS's firewall. Most *nix system (built-in) firewalls that >> I've dealt with have a lot of granularity and capabilities. They >> can certainly do an IP-specific (or range) blocks on one (or all) >> ports and some can do the throttling for you. That's what I've >> used when I've needed to deal with issues like yours. Changing a >> web server response to a 403 doesn't have all that much effect if >> you're dealing with high-volume traffic. >>=20 >>=20 >>> Date: Monday, February 01, 2016 22:07:45 +0100 >>> From: Luca Toscano >>>=20 >>> Hi George, >>>=20 >>> I would also check mod_qos for your use case! >>>=20 >>> Luca >>> Il 01 feb 2016 22:00, "George Genovezos" >>> ha scritto: >>>=20 >>>> Richard, >>>>=20 >>>> I would agree with you that a more elegant solution is = required. >>>> Unfortunately the firewall will only block or allow a = particular >>>> port. >>>>=20 >>>> The correct solution would be to implement an IPS solution in >>>> front of a firewall, but where in the do more with less phase. >>>>=20 >>>>=20 >>>> George Genovezos >>>> Application Security Architect >>>> CISSP, ISSAP, CIFI >>>>=20 >>>> Copart >>>> I-- >>>>=20 >>>> On 2/1/16, 2:27 PM, "Richard" >>>> wrote: >>>>=20 >>>> >=20 >>>> >=20 >>>> >> Date: Monday, February 01, 2016 19:52:51 +0000 >>>> >> From: George Genovezos >>>> >>=20 >>>> >> Hi, >>>> >>=20 >>>> >> I=E2=80=99m hoping someone can help with a problem = I=E2=80=99m having. I >>>> >> need a basic Ddos mitigation tool. Basically, either >>>> >> throttling back certain IP addresses or blocking access = after >>>> >> too many connections per second. >>>> >>=20 >>>> >> I know mod_evasive did this but the project, to my knowledge >>>> >> is deprecated. >>>> >>=20 >>>> >> So to draw this out, I want a web server to count the number >>>> >> of connection per seconds, and if an IP breaches this limit >>>> >> to either throttle or block the connection. Then I want to >>>> >> use mod_proxy to reverse proxy that clean connection to my >>>> >> web servers. >>>> >>=20 >>>> >> Any feedback would be greatly appreciated. >>>> >>=20 >>>> >> George Genovezos >>>> >> Application Security Architect >>>> >> CISSP, ISSAP, CIFI >>>> >>=20 >>>> >> Copart >>>> >=20 >>>> > In my view, doing this at the web server is rather late in = the >>>> > game. If I'm reading the mod_evasive documentation correctly, >>>> > all it (or something similar) does is stops serving content >>>> > and returns 403s. If your content is resource expensive to >>>> > deliver that will help some, but you're still going to get >>>> > all the requests hitting the web server and you're still >>>> > going to be responding to them. >>>> >=20 >>>> > The better place to address this is at your system's = firewall. >>>> > Depending on your system, you likely have firewall tools that >>>> > can provide a more robust solution. >>>> >=20 >>>> >=20 >>>> >=20 >>>> > ------------------------------------------------------------- >>>> > -- ------ To unsubscribe, e-mail: >>>> > users-unsubscribe@httpd.apache.org For additional commands, >>>> > e-mail: users-help@httpd.apache.org >>>> >=20 >>>>=20 >>=20 >> ------------ End Original Message ------------ >>=20 >>=20 >>=20 >> ----------------------------------------------------------------- >> ---- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> For additional commands, e-mail: users-help@httpd.apache.org >>=20 >=20 > ------------------------------------------------------------------ > --- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For > additional commands, e-mail: users-help@httpd.apache.org ------------ End Original Message ------------ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org