LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Rate limiting apache requests per second

[ILUG] Rate limiting apache requests per second

Ronan Mullally ronan at iol.ie
Tue Jan 5 22:22:01 GMT 2010 

I've got a site with a couple of muppets that think they can DOS (not
DDOS) it.  I've got numerous iptables bells and whistles in place to
mitigate against this, the most effective being connlimit statements that
limit the number of concurrent connections from a particular source IP
address to the site.  This limits the amount of disruption caused by any
particular source, but can result in substantial bandwidth spikes as the
limited number of connections that are allowed hammer away on the site.

I'm trying to limit the number of requests per second from a given source
IP to address this.  Bonus points for being able to limit the number of
connections per second from a given source IP to a particular URI.

Before you shout "mod_cband" or "mod_qos" or "mod_evasive" I've got the
following setup:


             Muppet
               |
          [ Internet ]
               |
               |
         Reverse Proxy
            (pound)
               |
        +------+------+
        |      |      |
          Web Servers
           (apache)


Since everything is getting reverse proxied the standard apache rate
limiting solutions won't work as everything appears to come from the same
source (the reverse proxy).  I've not found a module that will allow me to
use the X-Forwarded-For header my reverse proxy adds in place of the
source IP address as a key for limiting.  Replacing the reverse proxy with
something transparent (like a LVS instance) isn't an option at this stage.

The reverse proxy would be the obvious place to apply request limiting,
but pound doesn't have this facility.

An iptables rule that uses the string and hashlimit/recent modules to
restrict the number of packets with ^GET  is one very ugly option (I've
just thought of but not tried yet).  The only other alternative I can
think of would be to have a daemon parsing syslog output that triggers the
addition and removal of iptables rules to block mis-behaving source
addresses (ie those that excessively trigger the existing connlimit rule),
however that would not be as clean as I'd like.

Does anybody have any other suggestions?


-Ronan

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell