[42743] in North American Network Operators' Group
Re: Pattern matching odd HTTP request
daemon@ATHENA.MIT.EDU (Bill McGonigle)
Thu Sep 20 09:33:12 2001
Date: Thu, 20 Sep 2001 09:32:50 -0400
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v468)
Cc: Brian Behlendorf <brian@collab.net>, Jake Khuon <khuon@GBLX.Net>,
mike@biggorilla.com, nanog@merit.edu
To: "Karsten W. Rohrbach" <karsten@rohrbach.de>
From: Bill McGonigle <mcgonigle@medicalmedia.com>
In-Reply-To: <20010920003939.P55380@mail.webmonster.de>
Message-Id: <FCED22F4-ADCB-11D5-9568-003065EAE3C0@medicalmedia.com>
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Thanks for all your work on this one, Karsten, and I hope you had a good
nap. :)
mod_throttle looks like it will stop a DOS from one client effectively,
though the configuration is a bit complex for just that use of it. I
plan to implement it for that. It doesn't appear to be useful though
for the type of DDOS that seems to be brewing (which I hope fizzles and
dies).
The traffic pattern I was seeing (one request every 1.5 minutes) means
it would take 45 attackers to tie up a stock Apache indefinitely. If
this was implemented as a nimda-like worm, using random IP scanning, and
it attacked as found servers, I think there would be a pretty good
chance of defending against it (firewall the ip if there are n number of
timeouts in a time period). If it did discovery first, though, and kept
a cache (I'm not going to throw a flag on someone looking for my
/index.html) then attacked at a predetermined time I can't think of a
way to defend against it with a per-IP configuration. I'd probably
never set my per-IP limit below 5, and this would use 3.33 connections
per IP.
If, however, Apache had a limit on 'barely-open connections' with some
sort of timeout function, I think that would help. For instance, it
might look like:
BarelyOpenConnectionTimeout 10
BarelyOpenConnectionLimit 50
Such that if there were 50 connections open that hadn't sent a request
for 10 seconds, it would stop dropping them in a FIFO manner.
I mostly hack on higher-level modules in mod_perl, so I don't know
enough about apache internals to speak to the feasibility of such a
function.
-Bill
