You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Maxim Vexler <hq...@gmail.com> on 2005/08/12 20:55:21 UTC
[users@httpd] How to fight a client causing DoS ?
The DoS was caused because a client tried to use one of the popular
spiders to download the whole site.
I've attached a clip from the error log & the access log (CR/LF terminated).
As you can see the DoS client can be identified by his IP address.
The same behavior continued for ~8 hours :(
What can be done to stop the "attack" ?
Thank you.
--
Cheers,
Maxim Vexler (hq4ever).
Do u GNU ?
Re: [users@httpd] How to fight a client causing DoS ?
Posted by Brian Candler <B....@pobox.com>.
On Sat, Aug 13, 2005 at 11:32:53AM +0200, Maxim Vexler wrote:
> > > The DoS was caused because a client tried to use one of the popular
> > > spiders to download the whole site.
> > >
> > > I've attached a clip from the error log & the access log (CR/LF terminated).
> > >
> > > As you can see the DoS client can be identified by his IP address.
> > > The same behavior continued for ~8 hours :(
> > >
> > > What can be done to stop the "attack" ?
...
> Sean, thank you for the quick replay.
> Don't you think that a complete block on the client's IP is a too rush tactic?
> It's a legitimate user, his only fault was that he used this spidering
> tool, which had the side effect of DoS on the httpd daemon, I honestly
> don't think the client meant this to occur.
>
> I would like to note that I'm looking for some kind of automatic tool
> to fight this.
> Maybe a mod for Apache that could reject the client at the httpd
> daemon level on a time based period? the logic behind this is that
> this machine is not frequently monitored and I would prefer some kind
> of automatic solution.
mod_throttle can do this I believe (for Apache 1.3 only).
http://www.snert.com/Software/mod_throttle/#ThrottleClientIP
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to fight a client causing DoS ?
Posted by Joost de Heer <sa...@xs4all.nl>.
> I would like to note that I'm looking for some kind of automatic tool
> to fight this.
> Maybe a mod for Apache that could reject the client at the httpd
> daemon level on a time based period?
Something like mod_throttle perhaps?
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to fight a client causing DoS ?
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 13 Aug 2005, Maxim Vexler wrote:
> Sean, thank you for the quick replay.
> Don't you think that a complete block on the client's IP is a too rush tactic?
> It's a legitimate user, his only fault was that he used this spidering
> tool, which had the side effect of DoS on the httpd daemon, I honestly
> don't think the client meant this to occur.
iptables -A INPUT -s the_offending_address -p tcp -dport 80 -j REJECT
should take the load off of Apache without blocking other traffic. The
offender should receive an indication that his access was not welcome. A
sharper rebuke can be sent by adding '--reject-with icmp-host-prohibited'.
If you prefer to respond with stony silence:
iptables -A INPUT -s the_offending_address -p tcp -dport 80 -j DROP
should cause the unwanted traffic to be discarded without other action.
This should make his spider hang for a noticeable amount of time while it
waits for a response (which will never come) to its SYN packet, and if the
offender is savvy he'll still figure out that you refuse to talk to the
robot.
You could also look at iptables --connrate or --limit or even --dstlimit
if you just want to slow him down.
- --
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Open-source executable: $0.00. Source: $0.00 Control: priceless!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQFDAKTMs/NR4JuTKG8RAtwGAJ4mYADAqzGuUL7CoBNLVl5gxlpP2QCdEwy6
rt9k+haeeFh47jpw2fwewdM=
=rX3E
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to fight a client causing DoS ?
Posted by Maxim Vexler <hq...@gmail.com>.
On 8/12/05, Sean Conner <se...@conman.org> wrote:
> It was thus said that the Great Maxim Vexler once stated:
> >
> > The DoS was caused because a client tried to use one of the popular
> > spiders to download the whole site.
> >
> > I've attached a clip from the error log & the access log (CR/LF terminated).
> >
> > As you can see the DoS client can be identified by his IP address.
> > The same behavior continued for ~8 hours :(
> >
> > What can be done to stop the "attack" ?
> >
> > Thank you.
>
> It's pretty easy to stop this under Linux (this may work under other Unix
> flavors if you adjust the command accordingly), by doing, as root:
>
> #GenericRootUnixPrompt> route add -host <ip.address.of.attacker> reject
>
> This will cause Linux to ignore any packets from the given IP address (if it
> doesn't work, try "route add <ip.address> netmask 255.255.255.255 reject").
>
> -spc
Sean, thank you for the quick replay.
Don't you think that a complete block on the client's IP is a too rush tactic?
It's a legitimate user, his only fault was that he used this spidering
tool, which had the side effect of DoS on the httpd daemon, I honestly
don't think the client meant this to occur.
I would like to note that I'm looking for some kind of automatic tool
to fight this.
Maybe a mod for Apache that could reject the client at the httpd
daemon level on a time based period? the logic behind this is that
this machine is not frequently monitored and I would prefer some kind
of automatic solution.
Thank you for helping.
--
Cheers,
Maxim Vexler (hq4ever).
Do u GNU ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org