New Apache Module For Fending Off DoS Attacks 62
Network Dweebs Corporation writes "A new Apache DoS mod, called mod_dosevasive (short for dos evasive maneuvers) is now available for Apache 1.3. This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second, and helps protect bandwidth and system resources in the event of a single-system or distributed request-based DoS attack. This freely distributable, open-source mod can be found at http://www.networkdweebs.com/stuff/security.html"
Bandwidth still being used (Score:2, Insightful)
How clever is it? (Score:2, Insightful)
you could do to make sure that this doesn't get in the way of normal browsing, but still catches DOS attacks. What sort of things does this module include to work intelligently? How tunable is it?
One thing that jumps to mind is that you could have some kind of ratio between images and html which has to be adhered to for any x second period. This would hopefully mean that going to webpages with lots of images (which are all requested really quickly) wouldn't cause any problems. Also, more than one request can be made in a single http session (I think - I don't really know anything about this) so I guess you could make use of that to assess whether the traffic fitted the normal profile of a websurfer for that particular site.
Also, is there anything you can do to ensure that several people behind a NATing firewall all surfing to the same site don't trip the anti-DOS features?
Just thinking while I type really...
Re:Bandwidth still being used (Score:2, Insightful)
This is the same problem as with all filters automagically cutting off all requests from given ip/netblock after spotting some abuse.
Think big LAN behind masquerading firewall, or caching proxy for large organization, where one person using it can block access to the site using this automatic defenses.
Funny thing is that this broken-by-design solution is known for years, its flaws are known for years, and yet we see every once in a while another tool using this scheme.
Robert
Re:Bandwidth still being used (Score:2, Insightful)
Think big LAN behind masquerading firewall, or caching proxy for large organization, where one person using it can block access to the site using this automatic defenses.
Or think impostor sending requests with forged source IP.
What? TCP sequence numbers? Impossible to impersonate TCP session?
Think [bindview.com] again [coredump.cx].
Robert
Too slow/too fast. (Score:3, Insightful)
I can easily request a couple of pages a second, if i'm spawning off links to read in the background. On the other hand wouldnt an automated attack be requesting much faster than 2 per second?
Re:How clever is it? (Score:4, Insightful)
Whilst not totally impossible
Re:The "why" behind this.. (Score:3, Insightful)
Or break out and redirect to a goatse-esque page or something similar... Since they're viewing his competitor's site it would appear to be his content right?
=tkk
Re:A possible problem? (Score:2, Insightful)