Gerwin Krist -|- Digitalus Webhosting wrote:
> Hello there,
> One of our servers is being ddossed (httpd based), 100ths of clients are
> trying to download 1 certain file. My question, is it possible
> to filter on the download and put the the ip in an iptables rule?
Are the IP addresses constantly changing? I wrote some scripts for the
book, available here http://www.apachesecurity.net/, that might be
able to protect you automatically from that sort of attack.
The blacklist script is a dynamic iptables firewall. You can tell it
which IP address to block and for how long.
The apache-protect script will watch mod_status output and count the
number of identical requests coming from one IP address and invoke
the blacklist script to ban the addresses that reach the threshold.
Finally, blacklist-webclient can be invoked from mod_security via the
exec action, if you so wish.
Just be careful not to block legitimate users :)
[ Open source IDS for Web applications ]