Stonehenge::Throttle (or: using mod_perl to keep evil visitors away)

[Martijn <sw...@googlemail.com>]

Hello.

Like everyone who runs a web sever, I find that occasionally -and more
often than I'd like- the web server get a lot of requests (thousands)
within a short of period of time from the same IP address. I don't
mind a sudden increase interest in the website, but this usually means
someone is doing something bad.

I thought mod_perl should be able to deal with such (ab)users and send
them away if they know on our door too many times. So I did some
research and stumbled upon a Perl module called Stonehenge::Throttle
which is described here:
http://www.stonehenge.com/merlyn/LinuxMag/col17.html

It sounds all nice and interesting, but the article is from 2000 and
when I search for the module name, Google has hardly any other
results. Which could mean that either it works so perfectly well that
no one even bothered to write a documentation, or that it is outdated,
replaced by something better and shouldn't be used anymore. My guess
would be the latter.

Which made me wonder: is there a nice way to use mod_perl to keep evil
visitors away? Preferably using heuristics rather than a black list of
bad IP addresses.

Martijn

Re: Stonehenge::Throttle (or: using mod_perl to keep evil visitors away)

[Jonathan Vanasco <jv...@2xlp.com>]

mod_security
http://www.modsecurity.org/

its not using mod_perl -- but there's no reason to


On Apr 11, 2007, at 9:47 AM, Martijn wrote:

> Hello.
>
> Like everyone who runs a web sever, I find that occasionally -and more
> often than I'd like- the web server get a lot of requests (thousands)
> within a short of period of time from the same IP address. I don't
> mind a sudden increase interest in the website, but this usually means
> someone is doing something bad.
>
> I thought mod_perl should be able to deal with such (ab)users and send
> them away if they know on our door too many times. So I did some
> research and stumbled upon a Perl module called Stonehenge::Throttle
> which is described here:
> http://www.stonehenge.com/merlyn/LinuxMag/col17.html
>
> It sounds all nice and interesting, but the article is from 2000 and
> when I search for the module name, Google has hardly any other
> results. Which could mean that either it works so perfectly well that
> no one even bothered to write a documentation, or that it is outdated,
> replaced by something better and shouldn't be used anymore. My guess
> would be the latter.
>
> Which made me wonder: is there a nice way to use mod_perl to keep evil
> visitors away? Preferably using heuristics rather than a black list of
> bad IP addresses.
>
> Martijn
>

// Jonathan Vanasco

| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - -

Re: Stonehenge::Throttle (or: using mod_perl to keep evil visitors away)

[Perrin Harkins <pe...@elem.com>]

On 4/11/07, Martijn <sw...@googlemail.com> wrote:
> It sounds all nice and interesting, but the article is from 2000 and
> when I search for the module name, Google has hardly any other
> results. Which could mean that either it works so perfectly well that
> no one even bothered to write a documentation, or that it is outdated,
> replaced by something better and shouldn't be used anymore.

At eToys.com we used a modified version of this code to deal with
denial of service attacks.  We made it block based on our
(authenticated) session cookies if they were present, and fall back to
IP address.  Our criteria for blocking was "more than n hits in a m
second timespan" and that seemed to work.

Since that time, a number of C modules have come along with similar
capabilities: mod_evasive, mod_security, mod_throttle, mod_bandwidth,
etc.  If you have a need to protect resources not served by mod_perl,
these are a better bet, since they can be run in your proxy server.

At my current company, Sam Tregar wrote
CGI::Application::Plugin::RateLimit for simple "keep people from
spamming our suggestions form" uses.  It allows you to catch the
problem and provide a friendly error message, which is important in
this sort of gray area where the user may not have been malicious.

- Perrin

Re: Stonehenge::Throttle (or: using mod_perl to keep evil visitors away)

["Randal L. Schwartz" <me...@stonehenge.com>]

>>>>> "Martijn" == Martijn  <sw...@googlemail.com> writes:

Martijn> It sounds all nice and interesting, but the article is from 2000 and
Martijn> when I search for the module name, Google has hardly any other
Martijn> results. Which could mean that either it works so perfectly well that
Martijn> no one even bothered to write a documentation, or that it is outdated,
Martijn> replaced by something better and shouldn't be used anymore. My guess
Martijn> would be the latter.

Since I wrote it for a column, the code was owned by the magazine.  Later, I
learned to first (a) have an idea (b) write the code (c) publish the code to
CPAN (d) write the magazine article about it.  That order works much
better. :) I've written probably a few dozen things that would have been nice
CPAN modules, but are tied up in ownership tangles.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<me...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!