Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 91E0E18E53 for ; Tue, 2 Feb 2016 00:04:22 +0000 (UTC) Received: (qmail 41430 invoked by uid 500); 2 Feb 2016 00:04:18 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 41383 invoked by uid 500); 2 Feb 2016 00:04:18 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 41367 invoked by uid 99); 2 Feb 2016 00:04:18 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Feb 2016 00:04:18 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 08DEEC0EFD for ; Tue, 2 Feb 2016 00:04:18 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.001 X-Spam-Level: * X-Spam-Status: No, score=1.001 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id ZdHR1dyY6KEc for ; Tue, 2 Feb 2016 00:04:07 +0000 (UTC) Received: from smtp117.iad3a.emailsrvr.com (smtp117.iad3a.emailsrvr.com [173.203.187.117]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id EA31F25426 for ; Tue, 2 Feb 2016 00:04:06 +0000 (UTC) Received: from smtp7.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp7.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 3BD241802AD for ; Mon, 1 Feb 2016 19:04:06 -0500 (EST) X-Auth-ID: smtp@innovate.net Received: by smtp7.relay.iad3a.emailsrvr.com (Authenticated sender: smtp-AT-innovate.net) with ESMTPSA id 2C3EE180271 for ; Mon, 1 Feb 2016 19:04:06 -0500 (EST) X-Sender-Id: smtp@innovate.net Received: from [192.168.1.35] (c-73-213-121-195.hsd1.dc.comcast.net [73.213.121.195]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.5.4); Mon, 01 Feb 2016 19:04:06 -0500 Date: Tue, 02 Feb 2016 00:04:02 +0000 From: Richard To: users@httpd.apache.org Message-ID: X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: [users@httpd] Re: throttling IP addresses Are you referring to a 3rd-party firewall in front of the machine or the OS's firewall. Most *nix system (built-in) firewalls that I've dealt with have a lot of granularity and capabilities. They can certainly do an IP-specific (or range) blocks on one (or all) ports and some can do the throttling for you. That's what I've used when I've needed to deal with issues like yours. Changing a web server response to a 403 doesn't have all that much effect if you're dealing with high-volume traffic. > Date: Monday, February 01, 2016 22:07:45 +0100 > From: Luca Toscano > > Hi George, >=20 > I would also check mod_qos for your use case! >=20 > Luca > Il 01 feb 2016 22:00, "George Genovezos" > ha scritto: >=20 >> Richard, >>=20 >> I would agree with you that a more elegant solution is required. >> Unfortunately the firewall will only block or allow a particular >> port. >>=20 >> The correct solution would be to implement an IPS solution in >> front of a firewall, but where in the do more with less phase. >>=20 >>=20 >> George Genovezos >> Application Security Architect >> CISSP, ISSAP, CIFI >>=20 >> Copart >> I-- >>=20 >> On 2/1/16, 2:27 PM, "Richard" >> wrote: >>=20 >> >=20 >> >=20 >> >> Date: Monday, February 01, 2016 19:52:51 +0000 >> >> From: George Genovezos >> >>=20 >> >> Hi, >> >>=20 >> >> I=E2=80=99m hoping someone can help with a problem I=E2=80=99m = having. I >> >> need a basic Ddos mitigation tool. Basically, either >> >> throttling back certain IP addresses or blocking access after >> >> too many connections per second. >> >>=20 >> >> I know mod_evasive did this but the project, to my knowledge = is >> >> deprecated. >> >>=20 >> >> So to draw this out, I want a web server to count the number = of >> >> connection per seconds, and if an IP breaches this limit to >> >> either throttle or block the connection. Then I want to use >> >> mod_proxy to reverse proxy that clean connection to my web >> >> servers. >> >>=20 >> >> Any feedback would be greatly appreciated. >> >>=20 >> >> George Genovezos >> >> Application Security Architect >> >> CISSP, ISSAP, CIFI >> >>=20 >> >> Copart >> >=20 >> > In my view, doing this at the web server is rather late in the >> > game. If I'm reading the mod_evasive documentation correctly, >> > all it (or something similar) does is stops serving content and >> > returns 403s. If your content is resource expensive to deliver >> > that will help some, but you're still going to get all the >> > requests hitting the web server and you're still going to be >> > responding to them. >> >=20 >> > The better place to address this is at your system's firewall. >> > Depending on your system, you likely have firewall tools that >> > can provide a more robust solution. >> >=20 >> >=20 >> >=20 >> > --------------------------------------------------------------- >> > ------ To unsubscribe, e-mail: >> > users-unsubscribe@httpd.apache.org For additional commands, >> > e-mail: users-help@httpd.apache.org >> >=20 >>=20 ------------ End Original Message ------------ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org