You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by uxwrstre <ux...@trashmail.net> on 2007/02/21 10:12:01 UTC

[users@httpd] Limit download of data by IP address?

Hello,

is there a possibility to limit the download of IP addresses per day?
For example that an IP address could not download more than 1 Gbyte per day of the apache server? Is there somewhere a module doing that?

My problem is that my server gets all the time D.o.S. attacks, the attacker tries to download big files multiple times, and I would like to limit this per day.

Best regards,
saf

-- 
E-Mail sent with anti-spam site TrashMail.net!
Free disposable email addresses: http://www.trashmail.net/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Limit download of data by IP address?

Posted by Nick Kew <ni...@webthing.com>.

On Wed, 21 Feb 2007 10:12:01 +0100 (CET)
uxwrstre <ux...@trashmail.net> wrote:

> My problem is that my server gets all the time D.o.S. attacks, the
> attacker tries to download big files multiple times, and I would like
> to limit this per day.

IP addresses do not map to users.  Think proxies: AOL's has
tens of millions of users behind it.

If you provide big files, make sure they're cacheable.
The good news is, Apache does that by default, so all
you have to do is _not_ break it.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Limit download of data by IP address?

Posted by Chirouze Olivier <ol...@volvo.com>.

Hi,

Have a look at this module: http://cband.linux.pl/

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
 

> -----Original Message-----
> From: uxwrstre [mailto:uxwrstre@trashmail.net] 
> Sent: 21 February 2007 10:12
> To: users@httpd.apache.org
> Subject: [users@httpd] Limit download of data by IP address?
> 
> Hello,
> 
> is there a possibility to limit the download of IP addresses per day?
> For example that an IP address could not download more than 1 
> Gbyte per day of the apache server? Is there somewhere a 
> module doing that?
> 
> My problem is that my server gets all the time D.o.S. 
> attacks, the attacker tries to download big files multiple 
> times, and I would like to limit this per day.
> 
> Best regards,
> saf
> 
> -- 
> E-Mail sent with anti-spam site TrashMail.net!
> Free disposable email addresses: http://www.trashmail.net/
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Limit download of data by IP address?

Posted by matt farey <ma...@gmail.com>.

uxwrstre wrote:
> Hello,
>
> is there a possibility to limit the download of IP addresses per day?
> For example that an IP address could not download more than 1 Gbyte per day of the apache server? Is there somewhere a module doing that?
>
> My problem is that my server gets all the time D.o.S. attacks, the attacker tries to download big files multiple times, and I would like to limit this per day.
>
> Best regards,
> saf
>
>   

Depending on your audience you do have a few real options, as has been
said you can use mod_cband, or mod_bw to limit rate by file and by
mimetype etc... This might ensure that you always have enough spare
bandwidth to serve real requests.
You can store information about this particular user, and refuse them
permission to do this, I am thinking shared objects in flash. Increasing
the complexity will force the user to be human. Little tests like the
Google captcha you get if you search too many times from the address bar
in a short space, are cool here.
You can force them to authenticate for large files, and if you do this,
use a gateway script to chunk out the file and refuse more that one
connection and allow only one connection per user. If you force https
for the connection you will learn about them as well, this way you can
cut through some of the more usual problems. Most windows machines leak
back other data to the OS your server is running on, and it is more than
possible to profile the particular user this way.
How well do you know you user base, can you not ban many locations, or
time ban the locations that shouldnt be active at that time. How high
profile is your site, if it worth the money there are CDNs out there, if
not, you can consider rotating the availability of the new downloads as
the sun rotates round the earth for non authenticated users. It does
depend on what the files are and how your users would react.
Finally you can use a free content distribution service like Coral -
which works if the attacks are coming in relatively quickly.

-- 
Matthew Farey

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org