You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sl...@apache.org on 2006/01/17 17:02:06 UTC

svn commit: r369825 - in /httpd/httpd/trunk/docs/manual/misc: security_tips.html.en security_tips.xml

Author: slive
Date: Tue Jan 17 08:01:56 2006
New Revision: 369825

URL: http://svn.apache.org/viewcvs?rev=369825&view=rev
Log:
Take a stab at documenting how we respond to DoS issues.
Please review!

Modified:
    httpd/httpd/trunk/docs/manual/misc/security_tips.html.en
    httpd/httpd/trunk/docs/manual/misc/security_tips.xml

Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.html.en
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/misc/security_tips.html.en?rev=369825&r1=369824&r2=369825&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/security_tips.html.en (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.html.en Tue Jan 17 08:01:56 2006
@@ -26,6 +26,7 @@
     Some of the suggestions will be general, others specific to Apache.</p>
   </div>
 <div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dos">Denial of Service (DoS) attacks</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li>
@@ -56,6 +57,59 @@
     from problems in add-on code, CGI scripts, or the underlying
     Operating System.  You must therefore stay aware of problems and
     updates with all the software on your system.</p>
+
+  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dos" id="dos">Denial of Service (DoS) attacks</a></h2>
+
+    
+
+    <p>All network servers are subject to denial of service atacks
+    that attempt to prevent responses to clients by tying up the
+    resources of the server.  It is not possible to prevent such
+    attacks entirely, but you can do certain things to mitigate the
+    problems that they create.</p>
+
+    <p>Often the most effective anti-DoS tools will be a firewall or
+    other operating-system tools.  For example, most firewalls can be
+    configured to restrict the number of simultaneous connections from
+    any individual IP address or network, thus preventing a range of
+    simple attacks.</p>
+
+    <p>There are also certain Apache HTTP Server configuration
+    settings that can help mitigate problems:</p>
+
+    <ul>
+      <li>The <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> directive
+      should be lowered on sites that are subject to DoS attacks.
+      Setting this to as low as a few seconds may be appropriate.  See
+      also the <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code>
+      directive and various timeout-related directives provided by
+      other modules.</li>
+
+      <li>On operating systems that support it, make sure that you use
+      the <code class="directive">AcceptFilter</code> directive
+      to offload part of the request processing to the operating
+      system.  This is active by default in Apache httpd, but may
+      require reconfiguration of your kernel.</li>
+
+      <li>Tune the <code class="directive"><a href="../mod/mpm_common.html#maxclients">MaxClients</a></code> directive to allow
+      the server to handle the maximum number of simultaneous
+      connections without running out of resources.  See also the <a href="perf-tuning.html">performance tuning
+      documentation</a>.</li>
+
+      <li>The use of a threaded <a href="../mpm.html">mpm</a> may
+      allow you to handle more simultaneous connections, thereby
+      mitigating DoS attacks.  Further, the <code class="module"><a href="../mod/event.html">event</a></code> mpm
+      uses asynchronous processing to avoid devoting a thread to each
+      connection.</li>
+
+      <li>There are a number of third-party modules available through
+      <a href="http://modules.apache.org/">http://modules.apache.org/</a>
+      that can restrict certain client behaviors and thereby mitigate
+      DoS problems.</li>
+     
+    </ul>
 
   </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="section">

Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/misc/security_tips.xml?rev=369825&r1=369824&r2=369825&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/security_tips.xml (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.xml Tue Jan 17 08:01:56 2006
@@ -52,6 +52,63 @@
 
   </section>
 
+  <section id="dos">
+
+    <title>Denial of Service (DoS) attacks</title>
+
+    <p>All network servers are subject to denial of service atacks
+    that attempt to prevent responses to clients by tying up the
+    resources of the server.  It is not possible to prevent such
+    attacks entirely, but you can do certain things to mitigate the
+    problems that they create.</p>
+
+    <p>Often the most effective anti-DoS tools will be a firewall or
+    other operating-system tools.  For example, most firewalls can be
+    configured to restrict the number of simultaneous connections from
+    any individual IP address or network, thus preventing a range of
+    simple attacks.</p>
+
+    <p>There are also certain Apache HTTP Server configuration
+    settings that can help mitigate problems:</p>
+
+    <ul>
+      <li>The <directive module="core">TimeOut</directive> directive
+      should be lowered on sites that are subject to DoS attacks.
+      Setting this to as low as a few seconds may be appropriate.  See
+      also the <directive module="core">KeepAliveTimeout</directive>
+      directive and various timeout-related directives provided by
+      other modules.</li>
+
+      <li>On operating systems that support it, make sure that you use
+      the <directive mdoule="core">AcceptFilter</directive> directive
+      to offload part of the request processing to the operating
+      system.  This is active by default in Apache httpd, but may
+      require reconfiguration of your kernel.</li>
+
+      <li>Tune the <directive
+      module="mpm_common">MaxClients</directive> directive to allow
+      the server to handle the maximum number of simultaneous
+      connections without running out of resources.  See also the <a
+      href="perf-tuning.html">performance tuning
+      documentation</a>.</li>
+
+      <li>The use of a threaded <a href="../mpm.html">mpm</a> may
+      allow you to handle more simultaneous connections, thereby
+      mitigating DoS attacks.  Further, the <module>event</module> mpm
+      uses asynchronous processing to avoid devoting a thread to each
+      connection.</li>
+
+      <li>There are a number of third-party modules available through
+      <a
+      href="http://modules.apache.org/">http://modules.apache.org/</a>
+      that can restrict certain client behaviors and thereby mitigate
+      DoS problems.</li>
+     
+    </ul>
+
+  </section>
+    
+
   <section id="serverroot">
   
     <title>Permissions on ServerRoot Directories</title>