From: "J. Bakshi" <joydeep@infoservices.in>
To: Marek Kierdelewicz <marek@piasta.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: [ Siccess ]How to protect apache benchmarking attack ?
Date: Tue, 12 Jan 2010 16:38:43 +0530 [thread overview]
Message-ID: <4B4C583B.7000101@infoservices.in> (raw)
In-Reply-To: <4B4C48D7.9040706@infoservices.in>
J. Bakshi wrote:
> J. Bakshi wrote:
>
>> Marek Kierdelewicz wrote:
>>
>>
>>>> Hello all,
>>>>
>>>>
>>>>
>>> Hello J.,
>>>
>>>
>>>
>>>
>>>> I am dared to see what "ab" (apache benchmarking too) can do against
>>>> an apache server. I have used the following against my server to check
>>>> call handling
>>>>
>>>>
>>>>
>>> You can use hashlimit [1] match of iptables to limit concurrent
>>> connections from single IP.
>>>
>>> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note:
>>> current versions of hashlimit can also use srcip as --hashlimit-mode;
>>> that's probably what you want
>>>
>>> Cheers,
>>> Marek Kierdelewicz
>>>
>>>
>>>
>>>
>> Hello Marek,
>>
>> thanks for your prompt reply. I'll look into the hashlimit as you
>> suggest. Though a question in mind. Can It somehow affect the web
>> access from general users. ? I need the protection but also don't like
>> my protection makes the web service block general users somehow :-)
>>
>> Any real-life configuration is always Welcome.
>>
>> Thanks
>>
>>
>>
>
> What about modifying
>
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> to
>
> |iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \|
> |--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ |
> |-m state --state NEW -j ACCEPT|
>
> ?
>
>
I get success with
` ` `
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \
--hashlimit 400/sec \
--hashlimit-mode srcip --hashlimit-name http \
-m state --state NEW -j ACCEPT
` ` `
Now I like to add IP blocking for 1 min. I have added
--hashlimit-burst 200 --hashlimit-htable-expire 60000
and the rule failed to work at all. I think --hashlimit-burst need to
set to work properly. But what is the actual concept of
--hashlimit-burst ? Is it really mandatory here to block IP ? Please
suggest. My rule is working fine but the IP blocking is missing only.
Please let me know the actual concept behind --hashlimit-burst .
Thanks
--
জয়দীপ বক্সী
prev parent reply other threads:[~2010-01-12 11:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-12 9:21 How to protect apache benchmarking attack ? J. Bakshi
2010-01-12 9:28 ` Marek Kierdelewicz
2010-01-12 9:40 ` J. Bakshi
2010-01-12 10:03 ` J. Bakshi
2010-01-12 11:08 ` J. Bakshi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B4C583B.7000101@infoservices.in \
--to=joydeep@infoservices.in \
--cc=marek@piasta.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox