perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <>
Subject Re: Strategy against 'trivial' DOS attacks?
Date Tue, 13 May 2003 01:14:27 GMT
Perrin Harkins wrote:
> On Mon, 2003-05-12 at 18:25, wrote:
>>I then searched for apache module list. There is a patch to create a "Connection
>>Timeout" directive to Apache. Unlike the built-in Timeout, it checks only at the
>>initial connection circle. The patch works fine with Apache 1.23. I set
>>Connection Timeout to be 5 seconds, and it works fine (with 1024 MaxClients).
> That sounds like a good approach.  Ideally, you would also log the IP of
> offending clients here, so you can block them with iptables. 
> Incidentally, this could probably be done entirely in Perl with mod_perl
> 2.

Indeed, in mod_perl 2.0 you can write a PreConnection handler, which happens 
immediately after connection has been established, before any incoming data is 

# PerlPreConnectionHandler MyApache::PreConnectionRemoteIP

package MyApache::PreConnectionRemoteIP;

use strict;
use warnings FATAL => 'all';

use Apache::Connection ();

use Apache::Const -compile => qw(OK);

sub handler {
     my Apache::Connection $c = shift;

     my $ip = $c->remote_ip;
     # do something with that $ip;
     return Apache::OK;

Hmm, I guess you could close the socket right here, not sure how Apache will 
like it. But you can always return an error code, which will cleanly abort the 
connection (starting from Apache 2.0.45 only, older versions will segfault).

Looks like a good opportunity for a new useful module. All you need is to port 
the existing examples (like Randal's column Perrin has referred to earlier in 
this thread) into this earlier stage. Any takers?

Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker     mod_perl Guide --->

View raw message