Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 May 2002 09:24:52 -0400
From:      Bill Moran <wmoran@potentialtech.com>
To:        "Sulaiman A. Mirdad" <smirdad@naseej.com.sa>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Web server flood control?
Message-ID:  <3CD13E24.50409@potentialtech.com>
References:  <ADEHLBGPEKHOLLKMOLFCAEEKCNAA.smirdad@naseej.com.sa>

next in thread | previous in thread | raw e-mail | index | archive | help
If you reply to the list as well, others can answer your question if I
don't know.

Sulaiman A. Mirdad wrote:
> Dear Bill,
> 
> Thank you for your reply, here are some more details; the Apache logs
> indicate that they are sending 50+ HTTP request per second to different
> pages on my site and the IP's they are using are spoofed IP's that
> periodically change (on an average of every 5-10 mins). Because the IP's are
> not fixed putting my server behind a firewall will not help.

Are you sure this is the case?  Are you sure you're server isn't just
busy?  And your assertation that a firewall won't help is nonesense.  It's
very likely that the spoofed packets can be firewalled if you take the time
to examine them closely ... IP addys aren't the only criteria for filtering.

If you really are being spoof attacked, I would guess that you've got a lot
of connections open that aren't serving anything and eventually timeout.  You
can accellerate the process by lowering timeout values that Apache uses, be
careful though, or you'll lower them to the point that Apache is dropping
legit connections to slow clients.

Apache has a "Timeout" directive that controls how long idle connections hang
around before it terminates them.  The default is 5 minutes, which is probably
overkill, and is most likely hurting you in this circumstance.  Setting it
to something more like 30 seconds or so should help keep your server on its
feet without hurting legit connections.

Then you need to contact your ISP and get the problem tracked down and stopped,
there is no fix to this you can implement on your side 100%, and it's time to
attack the attacker.
I suggest you be more verbose with your description of the problem to them,
though.  They're going to want logs and other details about the attack, and
frankly, I don't think anyone can help you any more without that information.

I would suggest that you take some time to research attacks of this nature.
There are plenty of sites about DoS attacks, and you should do some google
searches and research how they work.

>>-----Original Message-----
>>From: Bill Moran [mailto:wmoran@potentialtech.com]
>>Sent: Wednesday, May 01, 2002 6:52 PM
>>To: Sulaiman A. Mirdad
>>Cc: freebsd-questions@FreeBSD.ORG
>>Subject: Re: Web server flood control?
>>
>>
>>Sulaiman A. Mirdad wrote:
>>
>>>I am hosting a forums web site that contains none main stream ideas. The
>>>result is that I a number of individuals have started flooding my web
>>>server.
>>>
>>>I searched the web for a solution but was not successful. I
>>>
>>would greatly
>>
>>>appreciate it if you can let me know if you know of a solution.
>>>
>>Sure, spend more money, that always helps.
>>
>>You can't seriously think that anyone on this list can be of any help to
>>you with as little information as you've provided?
>>Depending on exactly which aspect of this "flooding" is bothering you
>>will determine what kind of solution you need to take.  If the server
>>is overwhelmed, get a faster one.  If the connection is full, get more
>>bandwidth.  If people are spamming the system, implement some sort of
>>filters.


-- 
Bill Moran
Potential Technology
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CD13E24.50409>