How to protect apache benchmarking attack ?

How to protect apache benchmarking attack ?

[J. Bakshi]

Hello all,

I am dared to see what "ab" (apache benchmarking too) can do  against an
apache server.  I have used the following against my server to check
call handling

` ` `
ab -n 1000 -c 20 http://<site-name>/index.php?no_cache=1
` ` `


and it simply bottle neck the target apache server.  the target server
is also  over loaded with huge cpu load.  Is there any  precaution to
prevent this ?  the target  system is already  protected with
mod_security. 

Thanks

-- 
জয়দীপ বক্সী

Re: How to protect apache benchmarking attack ?

[Marek Kierdelewicz]

>Hello all,

Hello J.,

>I am dared to see what "ab" (apache benchmarking too) can do  against
>an apache server.  I have used the following against my server to check
>call handling

You can use hashlimit [1] match of iptables to limit concurrent
connections from single IP.

[1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
current versions of hashlimit can also use srcip as --hashlimit-mode;
that's probably what you want

Cheers,
Marek Kierdelewicz

Re: How to protect apache benchmarking attack ?

[J. Bakshi]

Marek Kierdelewicz wrote:
>> Hello all,
>>     
>
> Hello J.,
>
>   
>> I am dared to see what "ab" (apache benchmarking too) can do  against
>> an apache server.  I have used the following against my server to check
>> call handling
>>     
>
> You can use hashlimit [1] match of iptables to limit concurrent
> connections from single IP.
>
> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
> current versions of hashlimit can also use srcip as --hashlimit-mode;
> that's probably what you want
>
> Cheers,
> Marek Kierdelewicz
>
>   

Hello Marek,

thanks for your prompt reply. I'll look into the hashlimit as you
suggest.  Though a question in mind. Can It somehow affect the web
access from general users. ?  I need the protection but also don't  like
my protection makes the web service block general  users somehow :-)

Any real-life configuration is always Welcome.

Thanks

-- 
জয়দীপ বক্সী

Re: How to protect apache benchmarking attack ?

[J. Bakshi]

J. Bakshi wrote:
> Marek Kierdelewicz wrote:
>   
>>> Hello all,
>>>     
>>>       
>> Hello J.,
>>
>>   
>>     
>>> I am dared to see what "ab" (apache benchmarking too) can do  against
>>> an apache server.  I have used the following against my server to check
>>> call handling
>>>     
>>>       
>> You can use hashlimit [1] match of iptables to limit concurrent
>> connections from single IP.
>>
>> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
>> current versions of hashlimit can also use srcip as --hashlimit-mode;
>> that's probably what you want
>>
>> Cheers,
>> Marek Kierdelewicz
>>
>>   
>>     
>
> Hello Marek,
>
> thanks for your prompt reply. I'll look into the hashlimit as you
> suggest.  Though a question in mind. Can It somehow affect the web
> access from general users. ?  I need the protection but also don't  like
> my protection makes the web service block general  users somehow :-)
>
> Any real-life configuration is always Welcome.
>
> Thanks
>
>   

What about modifying

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

to

|iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80  \|
|--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ |
|-m state --state NEW -j ACCEPT|

?

-- 
জয়দীপ বক্সী

Re: [ Siccess ]How to protect apache benchmarking attack ?

[J. Bakshi]

J. Bakshi wrote:
> J. Bakshi wrote:
>   
>> Marek Kierdelewicz wrote:
>>   
>>     
>>>> Hello all,
>>>>     
>>>>       
>>>>         
>>> Hello J.,
>>>
>>>   
>>>     
>>>       
>>>> I am dared to see what "ab" (apache benchmarking too) can do  against
>>>> an apache server.  I have used the following against my server to check
>>>> call handling
>>>>     
>>>>       
>>>>         
>>> You can use hashlimit [1] match of iptables to limit concurrent
>>> connections from single IP.
>>>
>>> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
>>> current versions of hashlimit can also use srcip as --hashlimit-mode;
>>> that's probably what you want
>>>
>>> Cheers,
>>> Marek Kierdelewicz
>>>
>>>   
>>>     
>>>       
>> Hello Marek,
>>
>> thanks for your prompt reply. I'll look into the hashlimit as you
>> suggest.  Though a question in mind. Can It somehow affect the web
>> access from general users. ?  I need the protection but also don't  like
>> my protection makes the web service block general  users somehow :-)
>>
>> Any real-life configuration is always Welcome.
>>
>> Thanks
>>
>>   
>>     
>
> What about modifying
>
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> to
>
> |iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80  \|
> |--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ |
> |-m state --state NEW -j ACCEPT|
>
> ?
>
>   

I get success with

`  `  `
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80  \
--hashlimit 400/sec   \
--hashlimit-mode srcip --hashlimit-name http \
-m state --state NEW -j ACCEPT

`   `   `

Now I like to add IP blocking for 1 min.  I have added


--hashlimit-burst 200 --hashlimit-htable-expire 60000

and the rule failed to work at all.  I think --hashlimit-burst  need to
set to work properly. But what is the actual concept of 
--hashlimit-burst ? Is it really mandatory here to block IP ? Please
suggest. My rule is working fine but the IP blocking is missing only. 
Please let me know the actual concept behind --hashlimit-burst .

Thanks


-- 
জয়দীপ বক্সী