Hi friends,
"and now to something completely different: the larch"... ;-)
Some of you might know:
http://www.zdziarski.com/projects/mod_evasive/
I'm just interested in some theoretical thoughts, if there would be a
ns_evasive module... how to set up the "storage":
Background (Remember: this is an Apache module):
"Detection is performed by creating an internal dynamic hash table of IP
Addresses and URIs, and denying any single IP address from any of the
following:
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second"
(It then answers with a HTTP status code of 403 for a specified time)
And (from the Apache-view):
"This module instantiates for each listener individually [...] Because of this
per-child design, legitimate requests are never compromised (even from
proxies and NAT addresses) but only scripted attacks. Even a user repeatedly
clicking on 'reload' should not be affected unless they do it maliciously."
In our Naviserver-world, when storing requests of clients (IP) to objects on
the server (whatever you consider a "page", say HTML/ADP; and all the other
page elements on the other side), what could a possible plan look like:
* do the key/value lookup via NSV arrays?
* or thread-locally?
Or everything in the first/the latter?
If I want to guarantee, say, client X request a page Y only 2 times within 5
seconds, this leads to NSV ("guarantee"). But when I think of e.g. the 70
images referenced in Y... and some of them also referenced from page Y'2 with
a browser not caching anything... hm. Is the " legitimate requests are never
compromised" promise gained by a "server-wide-blindness" approach, a
distribution of storage to the available processes?
And would turning on / off keepalive introduce some subtle differences?
cu
Bernd.
|
