You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <Ke...@Golux.Com> on 2000/02/10 12:29:37 UTC

[Fwd: ** IMPORTANT IDEA **]

Acked.  Didn't someone already do something in this wise,
in an access module or something?
-- 
#ken    P-)}

Ken Coar                    <http://Golux.Com/coar/>
Apache Software Foundation  <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>

Come to the first official Apache Software Foundation
Conference!  <http://ApacheCon.Com/>

Re: [Fwd: ** IMPORTANT IDEA **]

Posted by Martin Pool <mb...@linuxcare.com.au>.
On Thu, Feb 10, 2000 at 06:29:37AM -0500, Rodent of Unusual Size wrote:
> Acked.  Didn't someone already do something in this wise,
> in an access module or something?

@ I'd like to suggest an idea.
@ 
@ Couldn't the Apache Web Server be modified so that the Web Server
@ itself would only accept "x" number of inbound packets per second from
@ a designated IP or something like that? ie, Some sort of threshold
@ setting. I'd be more than happy to attempt to mod this fix assuming
@ someone can point me into the right direction or file to look through.
@ I believe this would eliminate the servers such as Amazon, EBay and
@ others that have been overwhelmed with attacks lately? Just a thought,
@ I think it may be possible to introduce such a fix/enhancement.

I don't want to be a wet blanket but in general that won't stop
TFN-style attacks.  If you have 1GB/s heading for your server then the
pipe is going to saturate before Apache even gets a chance to see the
packets.  If you're going to limit traffic that way then it has to be
done in a core router.

The other problem is that each of the individual attack slaves won't
be sending an unusually high amount of data: perhaps just a few kb/s
each.  (If you're going to allow proxies for big ISPs the limit has to
be much higher.)  The problem is that there's so many of them and they
don't stop.

This is a good summary:

  http://www.cert.org/reports/dsit_workshop.pdf

-- 
Martin Pool, Technical Support Engineer, Linuxcare, Inc.
+61 2 6262 8990
mbp@linuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.