Re: [mod-security-users] Re: HTTPD Dos
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Re: HTTPD Dos
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2004-11-13 10:32:05
|
Well the problem is it there are many ip addresses but only 1 request once a while. So you can't easily detect the ddos. Ivan was so nice to give me some tips. If i'm done with it (in other words, if it works), i will make a little howto, and maybe it's usefull for some other persons :) Gerwin Op za 13-11-2004, om 10:08 schreef David Fletcher: > On Fri, 12 Nov 2004 20:23:12 -0800 > mod...@li... wrote: > > > Subject: [mod-security-users] HTTPD Dos > > > > Hello there, > > > > One of our servers is being ddossed (httpd based), 100ths of clients are > > trying to download 1 certain file. My question, is it possible > > to filter on the download and put the the ip in an iptables rule? > > > > Regards, > > Gerwin > > Hi, > > I have been getting attacks with over 1000 per second requests like this: > > default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS / > HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-) > > They seem to have stopped before I did anything about them, but I was > looking at mod_dosevasive available here: > > http://www.nuclearelephant.com/projects/dosevasive/ > > It doesn't look like its been developed in over a year (perhaps it doesn't > need it?) but it might be useful. I wonder if there is any case for > integrating it with mod_security? > > Another approach in this case will be just to block OPTIONS requests, but > other DOS attacks might not use this request method. > > David. |
