netbsd-users: Re: Help with DoS attack exhausting Apache server processes

Subject: Re: Help with DoS attack exhausting Apache server processes
To: Zafer Aydogan <zafer@gmx.org>
From: Sverre Froyen <sverre@viewmark.com>
List: netbsd-users
Date: 01/11/2005 08:55:01
Hi,

Thanks for your suggestion.  Unfortunately, decreasing the timeout value 
is not an option.  We are providing pages that take a long time to 
generate and that would fail to display with a short timeout.  Perhaps 
if there was a way to provide a separate timeout for the 
reading-request phase...

Interestingly, Linux provides the iptables command the appears to do the 
trick, and FreeBSD has (the discredited?) AcceptFilter.  I'm thinking 
that pf can perhaps by used to accomplish the task but I cannot find 
any example of this.

Thanks again,

Sverre

On Monday 10 January 2005 17:17, Zafer Aydogan wrote:
> > Hi,
> > 
> > Periodically, we experience what appears to be denial-of-service 
attacks 
> > on our Web site where a client (coming from a single IP address) 
will 
> > open a connection to the server every couple of seconds but never 
send 
> > http requests.  Each new connection places a server process in a 
> > "reading" state until it times out after (by default) 300 seconds.  
It 
> > is equivalent to starting multiple telnets to port 80 without 
entering 
> > any data.   At first, I thought that I could solve this by using the 
> > Apache module mod_limitipconn (or something similar) to limit the 
> > number of connections per IP address that Apache allows.  It 
appears, 
> > however, that Apache does not provide a handler hook until it has 
> > received the client request (which never arrives).
> > 
> > I am therefore looking for some way to accomplish the same result 
> > (limiting the number of TCP connections per IP address) by using 
some 
> > type of NetBSD system tool and I am looking for recommendations 
about 
> > what tool to use.
> > 
> > Thank you,
> > 
> > Sverre
> > 
> 
> 
> Hej Sverre,
> 
> set TIMEOUT to low value like 5 seconds.
> This will help closing, open dead connections.
> And set KeepAliveTimeout to 15.
> 
> with this values you can still work (with a high load) if you are 
DoS'ed.
> 
> you can check your server from another computer (in your LAN) with 
this
> script, if it can handle it:
> (works only with bash shell)
> ----
> $ while test==1
> >do
> >telnet www.yourserver.com 80 &
> >done
> ---
> this will loop a telnet to port 80 onto your machine. watch your load 
(top)
> and spawning processed from apache.
> you can stop it with ctrl-C (a couple times) and exit the shell.
> that will terminate the open connections.
> 
> I noticed that linux machines aren't impressed at all from such kind 
of 
> scripts, because I think, they are managing it with some kind of 
packet
> filter software.
> 
> Greets, Zafer.
> 
>