Subject: Re: Help with DoS attack exhausting Apache server processes
To: Sverre Froyen <sverre@viewmark.com>
From: Zafer Aydogan <zafer@gmx.org>
List: netbsd-users
Date: 01/11/2005 01:17:34
> Hi,
>
> Periodically, we experience what appears to be denial-of-service attacks
> on our Web site where a client (coming from a single IP address) will
> open a connection to the server every couple of seconds but never send
> http requests. Each new connection places a server process in a
> "reading" state until it times out after (by default) 300 seconds. It
> is equivalent to starting multiple telnets to port 80 without entering
> any data. At first, I thought that I could solve this by using the
> Apache module mod_limitipconn (or something similar) to limit the
> number of connections per IP address that Apache allows. It appears,
> however, that Apache does not provide a handler hook until it has
> received the client request (which never arrives).
>
> I am therefore looking for some way to accomplish the same result
> (limiting the number of TCP connections per IP address) by using some
> type of NetBSD system tool and I am looking for recommendations about
> what tool to use.
>
> Thank you,
>
> Sverre
>
Hej Sverre,
set TIMEOUT to low value like 5 seconds.
This will help closing, open dead connections.
And set KeepAliveTimeout to 15.
with this values you can still work (with a high load) if you are DoS'ed.
you can check your server from another computer (in your LAN) with this
script, if it can handle it:
(works only with bash shell)
----
$ while test==1
>do
>telnet www.yourserver.com 80 &
>done
---
this will loop a telnet to port 80 onto your machine. watch your load (top)
and spawning processed from apache.
you can stop it with ctrl-C (a couple times) and exit the shell.
that will terminate the open connections.
I noticed that linux machines aren't impressed at all from such kind of
scripts, because I think, they are managing it with some kind of packet
filter software.
Greets, Zafer.