IPTables has rules like 'Only allow 20 new IP connections from any given
netblock per minute'. It can even do bursts, so you can do '100 per 5
minutes' etc. My own server has some setup for SSH like that -
non-whitelisted IPs get 2 ssh requests per 5 minutes, or something like
that, to stop brute-force attacks filling up my logs.
IPTables is not going to help much if someone opens a connection and keeps
ramming requests down it - I assume Apache closes the socket, if it's being
abused though.
You could even put in *huge* limits initially, and monitor syslog to make
sure that it's OK, and slowly bring them down until you get a false
positive. Combined with whitelisting (if you have members only area, harvest
all IPs from that), it's a nice idea.
John
On Tue, Jan 5, 2010 at 10:22 PM, Ronan Mullally <ronan at iol.ie> wrote:
> I've got a site with a couple of muppets that think they can DOS (not
> DDOS) it. I've got numerous iptables bells and whistles in place to
> mitigate against this, the most effective being connlimit statements that
> limit the number of concurrent connections from a particular source IP
> address to the site. This limits the amount of disruption caused by any
> particular source, but can result in substantial bandwidth spikes as the
> limited number of connections that are allowed hammer away on the site.
>> I'm trying to limit the number of requests per second from a given source
> IP to address this. Bonus points for being able to limit the number of
> connections per second from a given source IP to a particular URI.
>> Before you shout "mod_cband" or "mod_qos" or "mod_evasive" I've got the
> following setup:
>>> Muppet
> |
> [ Internet ]
> |
> |
> Reverse Proxy
> (pound)
> |
> +------+------+
> | | |
> Web Servers
> (apache)
>>> Since everything is getting reverse proxied the standard apache rate
> limiting solutions won't work as everything appears to come from the same
> source (the reverse proxy). I've not found a module that will allow me to
> use the X-Forwarded-For header my reverse proxy adds in place of the
> source IP address as a key for limiting. Replacing the reverse proxy with
> something transparent (like a LVS instance) isn't an option at this stage.
>> The reverse proxy would be the obvious place to apply request limiting,
> but pound doesn't have this facility.
>> An iptables rule that uses the string and hashlimit/recent modules to
> restrict the number of packets with ^GET is one very ugly option (I've
> just thought of but not tried yet). The only other alternative I can
> think of would be to have a daemon parsing syslog output that triggers the
> addition and removal of iptables rules to block mis-behaving source
> addresses (ie those that excessively trigger the existing connlimit rule),
> however that would not be as clean as I'd like.
>> Does anybody have any other suggestions?
>>> -Ronan
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug> Who we are : http://www.linux.ie/> Where we are : http://www.linux.ie/map/>
--
triad 238: Trí luchra ata mesa: luchra tuinde, luchra mná bóithe, luchra
confoléimnige.
Three worst smiles: the smile of a wave, the smile of a lewd woman, thegrin
of a dog ready to leap.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
