On Tue, Mar 16, 2010 at 10:32:40AM +0100, Bernhard Krieger wrote:
> Hello Willi,
>
> thanks for reply.
> If i change the rule to block the requests, the Session rate grow up
> to 1000/secs.
> If i use the redirection option ( to http://127.0.0.1 ), it decreases
> to 500/secs.
It means that the attacker immediately retries. Then use a tarpit, it
will slow it down a lot. On what version are your running ? With 1.4
you can condition the tarpit with an ACL :
timeout tarpit 1m
reqtarpit . if ! { hdr_reg(user-agent) . }
On 1.3 it will be a bit more complicated, you'll have to branch to a
specific backend for the tarpit :
frontend ...
acl ua-ok hdr_reg(user-agent) .
use_backend bk_tarpit if !ua-ok
backend bk_tarpit
timeout tarpit 1m
reqtarpit .
> The DOS-Attack iteself is very strange, it attacks my old clanpage
> which has not more than 10 requests per month ... a very high visited
> page ;)
>
> The attack produces only traffic... he will never reach the final goal :)
Well, never underestimate a DoS attack. There is often a first phase of
identification of the target. You should also avoid publicly discussing
the reasons why you think it will not succeed and the workarounds you
are setting up ! If the guy really wants to take you down, he just has
to read the list's archives to update his attack vector.
Regards,
Willy
