Thread: [mod-security-users] Re: HTTPD Dos
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: David F. <Da...@me...> - 2004-11-13 10:10:59
|
On Fri, 12 Nov 2004 20:23:12 -0800 mod...@li... wrote: > Subject: [mod-security-users] HTTPD Dos > > Hello there, > > One of our servers is being ddossed (httpd based), 100ths of clients are > trying to download 1 certain file. My question, is it possible > to filter on the download and put the the ip in an iptables rule? > > Regards, > Gerwin Hi, I have been getting attacks with over 1000 per second requests like this: default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS / HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-) They seem to have stopped before I did anything about them, but I was looking at mod_dosevasive available here: http://www.nuclearelephant.com/projects/dosevasive/ It doesn't look like its been developed in over a year (perhaps it doesn't need it?) but it might be useful. I wonder if there is any case for integrating it with mod_security? Another approach in this case will be just to block OPTIONS requests, but other DOS attacks might not use this request method. David. -- ------------------------------------------------- Email: Da...@me... ------------------------------------------------- |
|
From: David F. <Da...@me...> - 2004-11-14 13:31:39
|
On Sat, 13 Nov 2004 20:23:31 -0800 mod...@li... wrote: > From: Gerwin Krist -|- Digitalus Webhosting <ge...@di...> > To: Mod_security <mod...@li...> > Date: Sat, 13 Nov 2004 11:29:25 +0000 > > Well the problem is it there are many ip addresses but only 1 request > once a while. So you can't easily detect the ddos. In the case I quoted in my last post, all the requests actually came from the same IP, so it was just DOS, not distributed. I think Ivan is right that in many cases these are better stopped at a firewall if that is possible. However, blocking at the web server would prevent, for example, lots of PHP sessions or database connections getting started. The OPTIONS type attack wasn't too bad - one with GET or POST on a real page would have consumed far more resources. David. -- ------------------------------------------------- Email: Da...@me... ------------------------------------------------- |
|
From: Zach R. <ad...@li...> - 2004-11-13 10:27:19
|
David Fletcher wrote: > > On Fri, 12 Nov 2004 20:23:12 -0800 > mod...@li... wrote: > > >>Subject: [mod-security-users] HTTPD Dos >> >>Hello there, >> >>One of our servers is being ddossed (httpd based), 100ths of clients are >>trying to download 1 certain file. My question, is it possible >>to filter on the download and put the the ip in an iptables rule? >> >>Regards, >>Gerwin > > > Hi, > > I have been getting attacks with over 1000 per second requests like this: > > default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS / > HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-) > > They seem to have stopped before I did anything about them, but I was > looking at mod_dosevasive available here: > > http://www.nuclearelephant.com/projects/dosevasive/ > > It doesn't look like its been developed in over a year (perhaps it doesn't > need it?) but it might be useful. I wonder if there is any case for > integrating it with mod_security? > > Another approach in this case will be just to block OPTIONS requests, but > other DOS attacks might not use this request method. > > David. > That could prove to be a very useful addition to the mod_security codebase. I currently use it but, due to the incompatibility with frontpage I can't use it on all servers. If possible, I would definately like to see it added. Zach |
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2004-11-13 10:32:05
|
Well the problem is it there are many ip addresses but only 1 request once a while. So you can't easily detect the ddos. Ivan was so nice to give me some tips. If i'm done with it (in other words, if it works), i will make a little howto, and maybe it's usefull for some other persons :) Gerwin Op za 13-11-2004, om 10:08 schreef David Fletcher: > On Fri, 12 Nov 2004 20:23:12 -0800 > mod...@li... wrote: > > > Subject: [mod-security-users] HTTPD Dos > > > > Hello there, > > > > One of our servers is being ddossed (httpd based), 100ths of clients are > > trying to download 1 certain file. My question, is it possible > > to filter on the download and put the the ip in an iptables rule? > > > > Regards, > > Gerwin > > Hi, > > I have been getting attacks with over 1000 per second requests like this: > > default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS / > HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-) > > They seem to have stopped before I did anything about them, but I was > looking at mod_dosevasive available here: > > http://www.nuclearelephant.com/projects/dosevasive/ > > It doesn't look like its been developed in over a year (perhaps it doesn't > need it?) but it might be useful. I wonder if there is any case for > integrating it with mod_security? > > Another approach in this case will be just to block OPTIONS requests, but > other DOS attacks might not use this request method. > > David. |
|
From: Ivan R. <iv...@we...> - 2004-11-13 11:16:08
|
> I have been getting attacks with over 1000 per second requests like this: > > default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS / > HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-) > > They seem to have stopped before I did anything about them, but I was > looking at mod_dosevasive available here: > > http://www.nuclearelephant.com/projects/dosevasive/ > > It doesn't look like its been developed in over a year (perhaps it doesn't > need it?) but it might be useful. I wonder if there is any case for > integrating it with mod_security? > > Another approach in this case will be just to block OPTIONS requests, but > other DOS attacks might not use this request method. I don't think you would benefit from blocking such attacks on the web server level. An OPTIONS request is handled quickly anyway. Handling it differently would not increase performance or slow down the attack. Blocking on the web server would help if the target of the attack is a script that consumes a lot of server resources, for example a script that performs intensive database operations. But, in general, I think the only feasible DoS defence is with a firewall, on the network level. My idea about DoS defence is to log relevant events to the error log, and then use a parallel process (either in real-time or started from cron every couple of minutes) to examine what is happening and configure firewall accordingly. As far as I am aware mod_dosevasive does not need to develop further if the general concept it uses is going to stay. The only thing I don't like about it is that it doesn't share information about attacks between processes. So every Apache child needs to activate its own defences. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
Thanks for helping keep SourceForge clean.
X