• angusfz

    angusfz - 2009-06-24

    Hi guys:
    Recently,we test mod_qos on our  site.Mod_qos can handle slowlris DOS attack very well by using QS_SrvMaxConnPerIP.
    But  we have reverse proxy(squid) in the front. Can mod_qos use "x-forwarded-for" IP as client IP ?
    Any suggestion will be appreciated!....and sorry for my poor english

    • Pascal Buchbinder

      IMHO: client IP based filter should deny requests/connections as early as possible. This is very important for directives such as QS_ClientEventBlockCount in order to prevent the client from generating these events furthermore. The problem by reading the client IP from a request header is that that we require to read certain amount of data in order to determine the client address. This would already allow some DoS attack scenarios. I recommend to install mod_qos within the reverse proxy itself (but it must be an Apache based proxy of course) in order to prevent any attack as early as possible.
      Regards, Pascal

    • angusfz

      angusfz - 2009-06-25

      Hi Pascal:
          Thanks for ur reply.But squid's performance is much better than apache.
      I will trying to use iptables's conlimit module to prevent such attacke.Thanks for ur help.

      Regards, Angusfz

  • Dmitriy

    Dmitriy - 2011-12-05

    Hi Pascal,
    I just sent you an email asking something similar. I'm in a similar situation to the user who created this thread (sorry for resurecting something from 2 years ago :) ), except that we are behind a CDN and have no way to install mod_qos on it.


  • Pascal Buchbinder

    Hi Dmitriy.
    As mentioned above, I believe that (most) client IP related restrictions should be filtered at the perimeter, because we can't deny TCP connections from an IP address if you are not the peer terminating the connection. It's often too late to defeat an attack if we have to for HTTP request headers first. mod_qos is intended to be used within a reverse proxy but works, of course, in Apache based proxies only. Other proxy servers may provide similar functionality oneself.

    So what feature do you want to use? (I could imagine to enhance the QS_ClientEventLimitCount directive for example but NOT the QS_ClientEventBlockCount directive).

    Regards, Pascal

  • Pascal Buchbinder

    mod_qos 9.76 introduces the directive QS_ClientIpFromHeader (only one IP per header) which may be used in conjunction with QS_ClientEventLimitCount (no other directive at the moment).

  • Dmitriy

    Dmitriy - 2011-12-07

    That is fantastic, thank you!

  • Andrew Rosolino

    Andrew Rosolino - 2012-01-30

    First off I would like to thank you for this fantastic module it offers so much. I currently use Varnish reverse proxy server and of course ran into the problem where I couldn't use the QS_SrvMaxConnPerIP because it assumed everyones IP was

    I noticed you added QS_ClientIpFromHeader, but I am having a hard time wrapping my head around how to set this up. Could you please provide an example of how this could be setup using QS_ClientEventLimitCount.

    I also currently use the plugin mod_rpaf like so:
    oadModule rpaf_module modules/mod_rpaf-2.0.so
    RPAFenable On
    RPAFsethostname On
    RPAFheader X-Forwarded-For-Varnish

    But I assume this doesn't effect mod_qos since it is probably activated afterwards.

  • Pascal Buchbinder


    QS_ClientIpFromHeade X-Forwarded-For-Varnish 
    QS_ClientEventLimitCount 100 300
    QS_SetEnvIfResBody "Login Failed" QS_Limit
  • Andrew Rosolino

    Andrew Rosolino - 2012-02-02

    Since we notice most DDOS attacks people pay for happen on that main domain and not external pages we added this rule.

    QS_ClientIpFromHeader X-Forwarded-For-Varnish
    QS_ClientEventLimitCount 6 3
    SetEnvIf Request_URI "^/$" QS_Limit

    However, ideally we want to start blocking people via IP tables if they start abusing this so the web server doesn't even have to process them anymore. I honestly have to say your module is the best tool out there to handle this stuff. We also have ConfigServer Firewall installed so we can just issue this command to temporarily block the IP for a week. So we can do a command like so:

    csf -td $ip 7d

    So if an IP reaches QS_Limit about 5 times, is there anyway we can issue that command?

  • Pascal Buchbinder

    QS_ClientEventBlockCount 6 604800 would exactly do that without any command invocation (but you can use this only if the Apache server terminates the TCP connection.

    An external command could be invoked using http://opensource.adnovum.ch/mod_qos/qsexec.1.html (or any other tool/script watching the log).

     ErrorLog "|qsexec -e 'mod_qos\(067\).*, c=([0-9.]*)' 'csf -td $1 7d'"
  • Andrew Rosolino

    Andrew Rosolino - 2012-02-03

    For some reason that is not triggering anything. My logs show this.

       mod_qos(067): access denied, QS_ClientEventLimitCount rule: max=6, current=0, c=, id=132823145045473314931140281017960416

    So shouldn't of that command of been fired?

  • Pascal Buchbinder

    the sample above was just a hint to show how the configuration might look like (it's not tested nor does it provide the path to the programs)

  • Andrew Rosolino

    Andrew Rosolino - 2012-02-03

    This is what I had to do, to make it work:
    ErrorLog "|/usr/local/bin/qsexec -e \'mod_qos\\\(067\\\).*, c=\(*\)\' \'csf -td $1 7d\'"

    However, there can only be one ErrorLog directive, so now nothing records in my actual error log, is there a solution for that? Sorry for all the questions just trying to make everything work together.

  • Pascal Buchbinder

    Use the "-p" option…

    ErrorLog "|qsexec -e 'mod_qos\(067\).*, c=([0-9.]*)' 'csf -td $1 7d' -p |qsrotate ...."

Log in to post a comment.