If it is a plain old SYN attack, use:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
If the IP doesn't change and you just want to block it, use:
iptables -I INPUT -s <bad_guy's_ip> -j DROP
If the attack is more like a SYN attack with a little HTTP logic I
suggest you to start with mod_evasive for apache2.
An apache module - mod_evasive - it counts, "learns" and blocks the
specific kind of attack you described:
Protecting Apache against DOS attack with mod_evasive
http://www.novell.com/coolsolutions/feature/19958.html
Install mod_evasive for Apache to Prevent DDOS Attacks
http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-
to-prevent-ddos-attacks/
An Apache .htaccess file:
Simple solution on HTTP layer (this will not deny the TCP connection itself):
<Limit GET HEAD PUT POST DELETE OPTIONS PROPFIND PROPPATCH MKCOL
COPY MOVE LOCK UNLOCK PATCH>
SetHandler server-status
order allow,deny
allow from all
deny from <bad_guy's_ip>
</Limit>
An apache module - mod_rewrite - use from an .htaccess file:
This should mostly be used if the IP is changing but stays in the
same subnet patterns xxx.yyy.zzz
An Apache module - mod_security:
SecFilterSelective "REMOTE_ADDR" "^<bad_guy's_ip>$"
http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security
/
In-Depth: Apache configuration
Decrease the Keep-Alive Time Window
KeepAliveTimeout 10
Limit the amount of type someone can stay connected to the server
with an existing connection
MaxKeepAliveRequests 500
Limit the amount of data a client can post in the HTTP request/XML
Request body, example of 100kb:
LimitRequestBody 102400
LimitXMLRequestBody 102400
Limit the amount of fields/parameters a client can post in the HTTP
request body:
LimitRequestFields 50
Limit the maximum size of each field/parameter a client can post in
the HTTP request body:
LimitRequestFieldSize 1024
Limit the maximum length allowed for a URI:
LimitRequestLine 2048
Good Luck!
Rafel.
On Thu, Oct 21, 2010 at 5:40 PM, Kai Witzke <security (at) gaark (dot) de [email concealed]> wrote:
>
> Hey everybody!
>
> I have some serious problems with flooding attacks to my apache2. No
> problems with logins oder syn floods, just a huge amount of simple
> requests to my server from the same ip. Anyone got a nice howto on that
> or maybe a nice regex prepared for counting such requests and blocking
> the greedy ones?
>
> thanks in advance
> Kai
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
If it is a plain old SYN attack, use:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
If the IP doesn't change and you just want to block it, use:
iptables -I INPUT -s <bad_guy's_ip> -j DROP
If the attack is more like a SYN attack with a little HTTP logic I
suggest you to start with mod_evasive for apache2.
An apache module - mod_evasive - it counts, "learns" and blocks the
specific kind of attack you described:
Protecting Apache against DOS attack with mod_evasive
http://www.novell.com/coolsolutions/feature/19958.html
Install mod_evasive for Apache to Prevent DDOS Attacks
http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-
to-prevent-ddos-attacks/
An Apache .htaccess file:
Simple solution on HTTP layer (this will not deny the TCP connection itself):
<Limit GET HEAD PUT POST DELETE OPTIONS PROPFIND PROPPATCH MKCOL
COPY MOVE LOCK UNLOCK PATCH>
SetHandler server-status
order allow,deny
allow from all
deny from <bad_guy's_ip>
</Limit>
An apache module - mod_rewrite - use from an .htaccess file:
This should mostly be used if the IP is changing but stays in the
same subnet patterns xxx.yyy.zzz
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^xxx\.yyy\.zzz\.(6[4-9]|7[0-9]|8[0-9]|9[0-9])$ [OR]
RewriteCond %{REMOTE_ADDR} ^xxx\.yyy\.zzz\.1([0-1][0-9]|2[0-8])$
RewriteRule .* ? [F]
An Apache module - mod_security:
SecFilterSelective "REMOTE_ADDR" "^<bad_guy's_ip>$"
http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security
/
In-Depth: Apache configuration
Decrease the Keep-Alive Time Window
KeepAliveTimeout 10
Limit the amount of type someone can stay connected to the server
with an existing connection
MaxKeepAliveRequests 500
Limit the amount of data a client can post in the HTTP request/XML
Request body, example of 100kb:
LimitRequestBody 102400
LimitXMLRequestBody 102400
Limit the amount of fields/parameters a client can post in the HTTP
request body:
LimitRequestFields 50
Limit the maximum size of each field/parameter a client can post in
the HTTP request body:
LimitRequestFieldSize 1024
Limit the maximum length allowed for a URI:
LimitRequestLine 2048
Good Luck!
Rafel.
On Thu, Oct 21, 2010 at 5:40 PM, Kai Witzke <security (at) gaark (dot) de [email concealed]> wrote:
>
> Hey everybody!
>
> I have some serious problems with flooding attacks to my apache2. No
> problems with logins oder syn floods, just a huge amount of simple
> requests to my server from the same ip. Anyone got a nice howto on that
> or maybe a nice regex prepared for counting such requests and blocking
> the greedy ones?
>
> thanks in advance
> Kai
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]