Pattern matching odd HTTP request
Bill McGonigle
mcgonigle at medicalmedia.com
Thu Sep 20 13:32:50 UTC 2001
Thanks for all your work on this one, Karsten, and I hope you had a good
nap. :)
mod_throttle looks like it will stop a DOS from one client effectively,
though the configuration is a bit complex for just that use of it. I
plan to implement it for that. It doesn't appear to be useful though
for the type of DDOS that seems to be brewing (which I hope fizzles and
dies).
The traffic pattern I was seeing (one request every 1.5 minutes) means
it would take 45 attackers to tie up a stock Apache indefinitely. If
this was implemented as a nimda-like worm, using random IP scanning, and
it attacked as found servers, I think there would be a pretty good
chance of defending against it (firewall the ip if there are n number of
timeouts in a time period). If it did discovery first, though, and kept
a cache (I'm not going to throw a flag on someone looking for my
/index.html) then attacked at a predetermined time I can't think of a
way to defend against it with a per-IP configuration. I'd probably
never set my per-IP limit below 5, and this would use 3.33 connections
per IP.
If, however, Apache had a limit on 'barely-open connections' with some
sort of timeout function, I think that would help. For instance, it
might look like:
BarelyOpenConnectionTimeout 10
BarelyOpenConnectionLimit 50
Such that if there were 50 connections open that hadn't sent a request
for 10 seconds, it would stop dropping them in a FIFO manner.
I mostly hack on higher-level modules in mod_perl, so I don't know
enough about apache internals to speak to the feasibility of such a
function.
-Bill
More information about the NANOG
mailing list