I'm glad I haven't got your user.. I think most any site on the
net can be brought to its knees by, for example, stuffing its
site search form with random but very common words and pressing
the post button and issuing these requests as frequently as
possible from a long list of open proxies.. or how about repeatedly
fetching random pages of very old postings such that the SQL
server index/table memory cache becomes useless... nightmare ;)
All one can do is respond with appropriate measures at the time
of the attack, which is why working in modperl is cool because
of the ease with which one can patch in defenses and modify
them while live.
Writing a short script that takes the last 20 minutes of access_log
and automatically identifies abuse based on frequency of request,
IPs and URL patterns, and drops the route to those IPs is a
good start.. to have this auto-triggered from a site monitoring
script is even better.
-Justin
On Thu, Jun 07, 2001 at 08:37:04PM -0700, Jeremy Rusnak wrote:
> Hi all,
>
> Just thought I would add my two cents...I run an online gaming site
> and the end users often decide to mess with our systems. We service
> a pretty juvenile crowd in some regards. So there definately is a
> need for better protection from floods.
>
> I've had one user in particular who has been attacking our site
> regularly for the past year and a half. He'll setup a couple
> machines with scripts to call forum posting scripts with random
> information passed into them. He'll call a generic CGI script
> ten times a second because he can tell it slows down the server.
> He'll bombard the servers with huge UDP packets. He bulks E-mails
> viruses and zombies to our users....It's insane.
>
> In short, this is a big issue for sites that get a decent amount of
> traffic. Better flood protection is always a good thing.
>
> We've got a great Cisco firewall that stops a lot of these kinds
> of things, but this fellow discovered open proxies and has been
> a pain ever since. He has a script that bombards us using a
> different proxy every five seconds. (There are lists out there
> updated in real-time with hundreds of open proxies thanks to
> the "privacy advocates" on the Net.)
>
> By the way, the guy is in Spain so the government can't/won't do
> anything. WE've blocked have the providers in Spain as a result
> of him getting a new IP when he has been stupid enough to use
> a real IP.
>
> So I would suggest that rate limiting based on IP address is a
> start, but it isn't the end all. You've got to have a big bag
> of tricks. Don't just look for one solution.
>
> Jeremy
>
> -----Original Message-----
> From: Martin Redington [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 07, 2001 6:08 PM
> To: [EMAIL PROTECTED]
> Cc: Justin
> Subject: Re: IP based instant throttle?
>
>
>
> Do you get flooded that frequently that this is an issue?
>
> I've seen DOS, and various buffer overflows etc. in the real world, but
> I've never seen this.
>
> Unless its happening very often, I would have thought that some
> monitoring and a 2am "Deny from ip" in your httpd.conf would be
> enough ...
>
>
> On Friday, June 8, 2001, at 01:50 am, Justin wrote:
>
> > Does anyone see the value in a Throttle module that looked at
> > the apache parent status block and rejected any request where
> > another child was already busy servicing *that same IP* ?
> > (note: the real IP is in the header in a backend setup so it
> > is not possible to dig it out across children without
> > creating another bit of shared memory or using the filesystem?).
> >
> > I'm still finding existing throttle modules do not pickup and
> > block parallel or fast request streams fast enough .. ok there are
> > no massive outages but 10 seconds of delay for everyone because
> > all demons are busy servicing the same guy before we can conclude
> > we're being flooded is not really great.. modperl driven forums
> > (or PHP ones even) can be killed this way since there are so
> > many links on one page, all active..
> >
> > thanks for any thoughts on this.
> >
> > -Justin
> >
