Re: [mod-security-users] DDOS on the appl level, timeouts and blacklisting
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] DDOS on the appl level, timeouts and blacklisting
|
From: De V. R. <Ric...@bm...> - 2006-08-23 21:17:36
|
What is everyone's opinion on mod_evasive, found here: http://www.zdziarski.com/projects/mod_evasive/ ? -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ivan Ristic Sent: Wednesday, August 23, 2006 3:56 PM To: Christian Folini Cc: mod...@li... Subject: Re: [mod-security-users] DDOS on the appl level,timeouts and blacklisting On 8/21/06, Christian Folini <chr...@ti...> wrote: > Hi there, > > There have been a couple of meetings regarding ddos threats against=20 > our ssl sites. So far no attack occurred, but we trying to be=20 > prepared. Hi Christian, I have thought a lot about this subject. Unfortunately I have little time to respond in depth right now but I promise to follow up when I get back in two weeks' time. Ryan has already provided a very good answer. httpd-guardian should work but you need to put some effort to install it. ModSecurity 2 can actually track request rate per, well, anything, but you are likely to want to look at the request rate per IP address. It works something like this (not tested): # initialise IP tracking, then update variable to force the collection # to be updated on disk (ModSecurity only updates data when it changes.) SecAction initcol:ip=3D%{REMOTE_ADDR},setvar:ip.dummy=3D1,nolog,pass Once the above line executes the variable IP.UPDATE_RATE should contain the number of updates (request) per minute. The only aspect of the above configuration I haven't tested is speed. At the moment ModSecurity uses a SDBM database to track persistent data. It is probably going to be fast but not as fast as an in-memory solution. But that's just an implementation detail, I expect an improved (faster) persistent storage mechanism to be added reasonably soon. Also, I am happy to add a few variables to track the time elapsed since the connection was created, and also to track the speed at which the data is being received. E.g. if someone is sending data very slowly he's probably trying to DoS the server. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------------------------ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
