that are malicious crawling attempts (first case) or DOS attacks (second case). In this cases my server load increase to 30-40 because every request is a query (or more than one because the PHP script query different tables) and I receive hundreds and hundreds of them. How can I detect and prevent this? I tried to use mod_evasive apache module, but it's based on request per second, so, for mod_evasive there isn't differences between a normal request (made up by a page and its resources like images, css, js, ecc) and a DOS attack (just page request) because the number of requests per second are the same (in my example the number of requests are 10).
Thanks to everyone and have a great weekend.
Les réponses au message de Piero (piero.bacarella@gmail.com)
> Hi everyone, > I've a LAMP webserver, with Apache 1.3 and PHP 4, MySQL 4 and Red Hat > Enterprise 4 Update 5. > Assuming the website is www.example.com. > I receive about 20.000 unique users/day. Normally I have about 100 > concurrent users and HTTP requests are like: > The system load is 2.00 average (I know, it's high). The problem is > the following. Sometimes I receive HTTP requests like this: > 10.10.10.10 - - [15/Jun/2007:23:14:00 +0200] "GET /page.php?id=1 HTTP/ > 1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; > that are malicious crawling attempts (first case) or DOS attacks > (second case). > In this cases my server load increase to 30-40 because every request > is a query (or more than one because the PHP script query different > tables) and I receive hundreds and hundreds of them. > How can I detect and prevent this? > I tried to use mod_evasive apache module, but it's based on request > per second, so, for mod_evasive there isn't differences between a > normal request (made up by a page and its resources like images, css, > js, ecc) and a DOS attack (just page request) because the number of > requests per second are the same (in my example the number of requests > are 10).
Do you receive the request really from 10.10.10.10? You could do iptables -p tcp -s 10.10.10.10 --dport 80 -j REJECT.
>Hi everyone, >I've a LAMP webserver, with Apache 1.3 and PHP 4, MySQL 4 and Red Hat >Enterprise 4 Update 5. >Assuming the website is www.example.com. >I receive about 20.000 unique users/day. Normally I have about 100 >concurrent users and HTTP requests are like: >10.10.10.10 - - [16/Jun/2007:14:26:55 +0200] "GET / HTTP/1.1" 200 >48711 "-" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/ >20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
You might try tuning this:
iptables -A HTTP -m state --state NEW -m recent --update \ --seconds 15 -m limit --limit 1/m --limit-burst 1 \ -j LOG --log-prefix "HTTP " iptables -A HTTP -m state --state NEW -m recent --update \ --seconds 15 --hitcount 3 -j DROP iptables -A HTTP -m state --state NEW -m recent --set -j ACCEPT iptables -A HTTP -j ACCEPT \ # Accept what gets through the above
On 29 Giu, 14:12, Burkhard Ott wrote: > Am Fri, 29 Jun 2007 03:02:18 -0700 schrieb Piero: > > Hi everyone, > > I've a LAMP webserver, with Apache 1.3 and PHP 4, MySQL 4 and Red Hat > > Enterprise 4 Update 5. > > Assuming the website iswww.example.com. > > I receive about 20.000 unique users/day. Normally I have about 100 > > concurrent users and HTTP requests are like: > > The system load is 2.00 average (I know, it's high). The problem is > > the following. Sometimes I receive HTTP requests like this: > > 10.10.10.10 - - [15/Jun/2007:23:14:00 +0200] "GET /page.php?id=1 HTTP/ > > 1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; > > that are malicious crawling attempts (first case) or DOS attacks > > (second case). > > In this cases my server load increase to 30-40 because every request > > is a query (or more than one because the PHP script query different > > tables) and I receive hundreds and hundreds of them. > > How can I detect and prevent this? > > I tried to use mod_evasive apache module, but it's based on request > > per second, so, for mod_evasive there isn't differences between a > > normal request (made up by a page and its resources like images, css, > > js, ecc) and a DOS attack (just page request) because the number of > > requests per second are the same (in my example the number of requests > > are 10). > Do you receive the request really from 10.10.10.10? > You could do iptables -p tcp -s 10.10.10.10 --dport 80 -j REJECT.
Iptables -I INPUT -p tcp --src 10.10.10.10 -j DROP
If the attacker is using different IPs, try installing APF then installing apfados. It might help. It didn't help me on the last time we were DOSed but I wrote a script to handle that. You can have a copy of that script (below) it might help. But this script looks for very specific info in the access log, you'll need to change it according to your situation. And apf -d just adds an IP into the firewalls block list. Good luck.
.
Message de Burkhard Ott (postmaster@derith.de) (29 Juin 2007)
