[42726] in North American Network Operators' Group
Re: Pattern matching odd HTTP request
daemon@ATHENA.MIT.EDU (Karsten W. Rohrbach)
Wed Sep 19 18:39:55 2001
Date: Thu, 20 Sep 2001 00:39:39 +0200
From: "Karsten W. Rohrbach" <karsten@rohrbach.de>
To: Brian Behlendorf <brian@collab.net>
Cc: Bill McGonigle <mcgonigle@medicalmedia.com>,
Jake Khuon <khuon@GBLX.Net>, mike@biggorilla.com, nanog@merit.edu
Message-ID: <20010920003939.P55380@mail.webmonster.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="WOTjKnJ88wpJKlWH"
Content-Disposition: inline
In-Reply-To: <20010918184958.S44963-100000@localhost>; from brian@collab.net on Tue, Sep 18, 2001 at 06:50:56PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
--WOTjKnJ88wpJKlWH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Brian Behlendorf(brian@collab.net)@2001.09.18 18:50:56 +0000:
> On Wed, 19 Sep 2001, Karsten W. Rohrbach wrote:
> > source ip based connection rate limiting would perhaps solve the
> > problem. are there any modules available out there to accomplish this
> > task?
>=20
> http://modules.apache.org/search?id=3D241
>=20
> is the only one I know of. I've not used it myself, and it's not a part
> of the "core" distribution. If people use it and it works, I'd appreciate
> knowing, as this comes up frequently enough that I'd agitate for getting
> it included.
update: mod_throttle/3.1.2 seems to do the thing (as far as i can see
from the source) but i cannot get the thing running on my freebsd 4.3
box here, i keeps dumping core all the time. it is designed to already
check the source ip address in the fixup handler.
_all_ other modules i downloaded do not do this. i tried the following
ones:
- mod_throttle/3.1.2 dumps core at runtime, dang thing
- mod_throttle_access/0.2 starts processing after GET request
- mod_bandwidth/2.0.3 starts processing after GET request
- mod_bwshare/0.1.2 shmget: invalid argument but SHM is
there, i can see it with ipcs(1)!
- mod_conn/1999 starts processing after GET request
- mod_limitipconn/0.0.3 starts processing after GET request
[http://modules.apache.org/search?id=3D123] is the url to mod_throttle
which looks very mature (but runs buggy on my box, whyever). i am
pretty tired now from my long uptime hunting that stupid nimda worm and
getting rid of it on some of my customers' servers. i hate iis, yuck.
mod_throttle looks like it could do it, because it contains the relevant
code in the fixup handler. However the policies are pretty weird -- at
least for me in my current state. man, it's been a long time since i=20
hacked my last apache module. must be 5 years or so... if somebody gets
mod_throttle running on freebsd4, drop me a line how you did it. it's
nearly midnight and i'm going to take a looooong nap now.
btw, if your log files keep growing and growing, use multilog from
daemontools to autorotate them and keep them at a specified maximum
size:
ErrorLog "|exec setuidgid log multilog s200000 n5 /path/to/errlogdir"
daemontools are at [http://cr.yp.to/daemontools.html]
you could even do
ErrorLog "|exec grep -v '/scripts/' | setuidgid log multilog s200000 n5=
/path/to/errlogdir"
to get rid of the darn worm-generated errors.
lowering the timeout does not make much sense, the best solution would
be having the max connections from one ip in the scoreboard structures
and connection handler because it _must_ be processed at connection
time, not when the request is already in -- there never will be a GET or
any other request... i see that this can be doen in the fixup_handler in
an module, but i am quite rusty concerning the apache api ;-)
brian, i'd appreciate if you would forward this to the core people.
thanks.
i got an important appointment with my bed now...
take care,
/k (tired like hell)
--=20
> May the source be with you!
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B=
F46
Please do not remove my address from To: and Cc: fields in mailing lists. 1=
0x
--WOTjKnJ88wpJKlWH
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7qR6rM0BPTilkv0YRAmKPAJ9LVaZXc6oUstL+DQkln9a1SjWsHQCeLp51
LYxvy3nd64GYjADhMX0lfTs=
=xvEk
-----END PGP SIGNATURE-----
--WOTjKnJ88wpJKlWH--
