From: "J. Bakshi" <joydeep@infoservices.in>
To: Marek Kierdelewicz <marek@piasta.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: How to protect apache benchmarking attack ?
Date: Tue, 12 Jan 2010 15:33:03 +0530 [thread overview]
Message-ID: <4B4C48D7.9040706@infoservices.in> (raw)
In-Reply-To: <4B4C4389.6010604@infoservices.in>
J. Bakshi wrote:
> Marek Kierdelewicz wrote:
>
>>> Hello all,
>>>
>>>
>> Hello J.,
>>
>>
>>
>>> I am dared to see what "ab" (apache benchmarking too) can do against
>>> an apache server. I have used the following against my server to check
>>> call handling
>>>
>>>
>> You can use hashlimit [1] match of iptables to limit concurrent
>> connections from single IP.
>>
>> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
>> current versions of hashlimit can also use srcip as --hashlimit-mode;
>> that's probably what you want
>>
>> Cheers,
>> Marek Kierdelewicz
>>
>>
>>
>
> Hello Marek,
>
> thanks for your prompt reply. I'll look into the hashlimit as you
> suggest. Though a question in mind. Can It somehow affect the web
> access from general users. ? I need the protection but also don't like
> my protection makes the web service block general users somehow :-)
>
> Any real-life configuration is always Welcome.
>
> Thanks
>
>
What about modifying
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
to
|iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \|
|--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ |
|-m state --state NEW -j ACCEPT|
?
--
জয়দীপ বক্সী
next prev parent reply other threads:[~2010-01-12 10:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-12 9:21 How to protect apache benchmarking attack ? J. Bakshi
2010-01-12 9:28 ` Marek Kierdelewicz
2010-01-12 9:40 ` J. Bakshi
2010-01-12 10:03 ` J. Bakshi [this message]
2010-01-12 11:08 ` [ Siccess ]How " J. Bakshi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B4C48D7.9040706@infoservices.in \
--to=joydeep@infoservices.in \
--cc=marek@piasta.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox