httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Genovezos <George.Genove...@Copart.Com>
Subject Re: [users@httpd] Re: throttling IP addresses
Date Tue, 02 Feb 2016 16:47:49 GMT
Yes,

I am referring to an external firewall.

So the idea is to use the web server to proxy external traffic and place an IP hit counter,
that would throttle a DDOS attack. Even with a unix firewall, we still need a way to identify
the threat and update the firewall. Do you have any thoughts on that?

Thanks


George Genovezos
Application Security Architect
CISSP, ISSAP, CIFI

Copart
I-- 







On 2/1/16, 6:04 PM, "Richard" <lists-apache@listmail.innovate.net> wrote:

>Are you referring to a 3rd-party firewall in front of the machine or
>the OS's firewall. Most *nix system (built-in) firewalls that I've
>dealt with have a lot of granularity and capabilities. They can
>certainly do an IP-specific (or range) blocks on one (or all) ports
>and some can do the throttling for you. That's what I've used when
>I've needed to deal with issues like yours. Changing a web server
>response to a 403 doesn't have all that much effect if you're
>dealing with high-volume traffic.
>
>
>> Date: Monday, February 01, 2016 22:07:45 +0100
>> From: Luca Toscano <toscano.luca@gmail.com>
>>
>> Hi George,
>> 
>> I would also check mod_qos for your use case!
>> 
>> Luca
>> Il 01 feb 2016 22:00, "George Genovezos"
>> <George.Genovezos@copart.com> ha scritto:
>> 
>>> Richard,
>>> 
>>> I would agree with you that a more elegant solution is required.
>>> Unfortunately the firewall will only block or allow a particular
>>> port.
>>> 
>>> The correct solution would be to implement an IPS solution in
>>> front of a firewall, but where in the do more with less phase.
>>> 
>>> 
>>> George Genovezos
>>> Application Security Architect
>>> CISSP, ISSAP, CIFI
>>> 
>>> Copart
>>> I--
>>> 
>>> On 2/1/16, 2:27 PM, "Richard"
>>> <lists-apache@listmail.innovate.net> wrote:
>>> 
>>> > 
>>> > 
>>> >> Date: Monday, February 01, 2016 19:52:51 +0000
>>> >> From: George Genovezos <George.Genovezos@Copart.Com>
>>> >> 
>>> >> Hi,
>>> >> 
>>> >> I’m hoping someone can help with a problem I’m having. I
>>> >> need a basic Ddos  mitigation tool. Basically, either
>>> >> throttling back certain IP addresses or blocking access after
>>> >> too many connections per second.
>>> >> 
>>> >> I know mod_evasive did this but the project, to my knowledge is
>>> >> deprecated.
>>> >> 
>>> >> So to draw this out, I want a web server to count the number of
>>> >> connection per seconds, and if an IP breaches this limit to
>>> >> either throttle or block the connection. Then I want to use
>>> >> mod_proxy to reverse proxy that clean connection to my web
>>> >> servers.
>>> >> 
>>> >> Any feedback would be greatly appreciated.
>>> >> 
>>> >> George Genovezos
>>> >> Application Security Architect
>>> >> CISSP, ISSAP, CIFI
>>> >> 
>>> >> Copart
>>> > 
>>> > In my view, doing this at the web server is rather late in the
>>> > game. If I'm reading the mod_evasive documentation correctly,
>>> > all it (or something similar) does is stops serving content and
>>> > returns 403s. If your content is resource expensive to deliver
>>> > that will help some, but you're still going to get all the
>>> > requests hitting the web server and you're still going to be
>>> > responding to them.
>>> > 
>>> > The better place to address this is at your system's firewall.
>>> > Depending on your system, you likely have firewall tools that
>>> > can provide a more robust solution.
>>> > 
>>> > 
>>> > 
>>> > ---------------------------------------------------------------
>>> > ------ To unsubscribe, e-mail:
>>> > users-unsubscribe@httpd.apache.org For additional commands,
>>> > e-mail: users-help@httpd.apache.org
>>> > 
>>> 
>
>------------ End Original Message ------------
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
Mime
View raw message