Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
The Internet Software Apache

New Apache Module For Fending Off DoS Attacks 62

Posted by Hemos from the beath-them-down dept.
Network Dweebs Corporation writes "A new Apache DoS mod, called mod_dosevasive (short for dos evasive maneuvers) is now available for Apache 1.3. This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second, and helps protect bandwidth and system resources in the event of a single-system or distributed request-based DoS attack. This freely distributable, open-source mod can be found at http://www.networkdweebs.com/stuff/security.html"
This discussion has been archived. No new comments can be posted.

New Apache Module For Fending Off DoS Attacks More

New Apache Module For Fending Off DoS Attacks

Comments Filter:

  • Bandwidth still being used (Score:2, Insightful)

    by Green Light ( 32766 ) on Wednesday October 30, 2002 @09:02AM (#4563378) Journal
    Handling all of those requests still takes processing time and bandwidth. What is needed is some type of hardware "filter" out front that can recognize a DoS attack and throw packets away.

  • How clever is it? (Score:2, Insightful)

    by cilix ( 538057 ) <`tim' `at' `nicholas.net.nz'> on Wednesday October 30, 2002 @09:23AM (#4563486) Homepage
    Does anyone know how clever it is? There are several things that I suppose
    you could do to make sure that this doesn't get in the way of normal browsing, but still catches DOS attacks. What sort of things does this module include to work intelligently? How tunable is it?

    One thing that jumps to mind is that you could have some kind of ratio between images and html which has to be adhered to for any x second period. This would hopefully mean that going to webpages with lots of images (which are all requested really quickly) wouldn't cause any problems. Also, more than one request can be made in a single http session (I think - I don't really know anything about this) so I guess you could make use of that to assess whether the traffic fitted the normal profile of a websurfer for that particular site.

    Also, is there anything you can do to ensure that several people behind a NATing firewall all surfing to the same site don't trip the anti-DOS features?

    Just thinking while I type really...

  • Re:Bandwidth still being used (Score:2, Insightful)

    by Gadzinka ( 256729 ) <rrw@hell.pl> on Wednesday October 30, 2002 @09:27AM (#4563509) Journal
    Problem is, that this aproach doesn't solve any problems, creates new ones and is a great DoS tool in itself.

    This is the same problem as with all filters automagically cutting off all requests from given ip/netblock after spotting some abuse.

    Think big LAN behind masquerading firewall, or caching proxy for large organization, where one person using it can block access to the site using this automatic defenses.

    Funny thing is that this broken-by-design solution is known for years, its flaws are known for years, and yet we see every once in a while another tool using this scheme.

    Robert

  • Re:Bandwidth still being used (Score:2, Insightful)

    by Gadzinka ( 256729 ) <rrw@hell.pl> on Wednesday October 30, 2002 @09:39AM (#4563570) Journal
    (yeah,
    1. write
    2. preview
    3. post
    4. think
    5. reply to you own post
    ;)

    Think big LAN behind masquerading firewall, or caching proxy for large organization, where one person using it can block access to the site using this automatic defenses.

    Or think impostor sending requests with forged source IP.

    What? TCP sequence numbers? Impossible to impersonate TCP session?

    Think [bindview.com] again [coredump.cx].

    Robert

  • Too slow/too fast. (Score:3, Insightful)

    by perlyking ( 198166 ) on Wednesday October 30, 2002 @10:04AM (#4563732) Homepage
    "This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second."

    I can easily request a couple of pages a second, if i'm spawning off links to read in the background. On the other hand wouldnt an automated attack be requesting much faster than 2 per second?

  • Re:How clever is it? (Score:4, Insightful)

    by The Whinger ( 255233 ) on Wednesday October 30, 2002 @10:33AM (#4564006) Homepage
    "Also, is there anything you can do to ensure that several people behind a NATing firewall all surfing to the same site don't trip the anti-DOS features?"

    Whilst not totally impossible ... the chances of this are SMALL. Same URI same minute ... possible, same URI same second ... rare I guess ...

  • Re:The "why" behind this.. (Score:3, Insightful)

    by HiredMan ( 5546 ) on Wednesday October 30, 2002 @05:54PM (#4568448) Journal
    One wonders why he didn't just use some javascript to break out of the frame jail, and then explain that users had been redirected to foo because bar was loading foo's pages?


    Or break out and redirect to a goatse-esque page or something similar... Since they're viewing his competitor's site it would appear to be his content right?


    =tkk

  • Re:A possible problem? (Score:2, Insightful)

    by spacefight ( 577141 ) on Friday November 01, 2002 @05:22AM (#4577015)
    if all those frames were for the same page or script.
    Some silly designers uses to have multiple frames of a blank frame, eg blank.html. These all would be busted. I do not think that you should use this new module in production, do you?

Slashdot Top Deals

The moon is made of green cheese. -- John Heywood

Close