From: "J. Bakshi" <joydeep@infoservices.in>
To: Marek Kierdelewicz <marek@piasta.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: [ Siccess ]How to protect apache benchmarking attack ?
Date: Tue, 12 Jan 2010 16:38:43 +0530 [thread overview]
Message-ID: <4B4C583B.7000101@infoservices.in> (raw)
In-Reply-To: <4B4C48D7.9040706@infoservices.in>
J. Bakshi wrote:
> J. Bakshi wrote:
>
>> Marek Kierdelewicz wrote:
>>
>>
>>>> Hello all,
>>>>
>>>>
>>>>
>>> Hello J.,
>>>
>>>
>>>
>>>
>>>> I am dared to see what "ab" (apache benchmarking too) can do against
>>>> an apache server. I have used the following against my server to check
>>>> call handling
>>>>
>>>>
>>>>
>>> You can use hashlimit [1] match of iptables to limit concurrent
>>> connections from single IP.
>>>
>>> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
>>> current versions of hashlimit can also use srcip as --hashlimit-mode;
>>> that's probably what you want
>>>
>>> Cheers,
>>> Marek Kierdelewicz
>>>
>>>
>>>
>>>
>> Hello Marek,
>>
>> thanks for your prompt reply. I'll look into the hashlimit as you
>> suggest. Though a question in mind. Can It somehow affect the web
>> access from general users. ? I need the protection but also don't like
>> my protection makes the web service block general users somehow :-)
>>
>> Any real-life configuration is always Welcome.
>>
>> Thanks
>>
>>
>>
>
> What about modifying
>
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> to
>
> |iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \|
> |--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ |
> |-m state --state NEW -j ACCEPT|
>
> ?
>
>
I get success with
` ` `
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \
--hashlimit 400/sec \
--hashlimit-mode srcip --hashlimit-name http \
-m state --state NEW -j ACCEPT
` ` `
Now I like to add IP blocking for 1 min. I have added
--hashlimit-burst 200 --hashlimit-htable-expire 60000
and the rule failed to work at all. I think --hashlimit-burst need to
set to work properly. But what is the actual concept of
--hashlimit-burst ? Is it really mandatory here to block IP ? Please
suggest. My rule is working fine but the IP blocking is missing only.
Please let me know the actual concept behind --hashlimit-burst .
Thanks
--
জয়দীপ বক্সী
prev parent reply other threads:[~2010-01-12 11:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-12 9:21 How to protect apache benchmarking attack ? J. Bakshi
2010-01-12 9:28 ` Marek Kierdelewicz
2010-01-12 9:40 ` J. Bakshi
2010-01-12 10:03 ` J. Bakshi
2010-01-12 11:08 ` J. Bakshi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B4C583B.7000101@infoservices.in \
--to=joydeep@infoservices.in \
--cc=marek@piasta.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.