Hi all,
Just thought I would add my two cents...I run an online gaming site
and the end users often decide to mess with our systems. We service
a pretty juvenile crowd in some regards. So there definately is a
need for better protection from floods.
I've had one user in particular who has been attacking our site
regularly for the past year and a half. He'll setup a couple
machines with scripts to call forum posting scripts with random
information passed into them. He'll call a generic CGI script
ten times a second because he can tell it slows down the server.
He'll bombard the servers with huge UDP packets. He bulks E-mails
viruses and zombies to our users....It's insane.
In short, this is a big issue for sites that get a decent amount of
traffic. Better flood protection is always a good thing.
We've got a great Cisco firewall that stops a lot of these kinds
of things, but this fellow discovered open proxies and has been
a pain ever since. He has a script that bombards us using a
different proxy every five seconds. (There are lists out there
updated in real-time with hundreds of open proxies thanks to
the "privacy advocates" on the Net.)
By the way, the guy is in Spain so the government can't/won't do
anything. WE've blocked have the providers in Spain as a result
of him getting a new IP when he has been stupid enough to use
a real IP.
So I would suggest that rate limiting based on IP address is a
start, but it isn't the end all. You've got to have a big bag
of tricks. Don't just look for one solution.
Jeremy
-----Original Message-----
From: Martin Redington [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 07, 2001 6:08 PM
To: [EMAIL PROTECTED]
Cc: Justin
Subject: Re: IP based instant throttle?
Do you get flooded that frequently that this is an issue?
I've seen DOS, and various buffer overflows etc. in the real world, but
I've never seen this.
Unless its happening very often, I would have thought that some
monitoring and a 2am "Deny from ip" in your httpd.conf would be
enough ...
On Friday, June 8, 2001, at 01:50 am, Justin wrote:
> Does anyone see the value in a Throttle module that looked at
> the apache parent status block and rejected any request where
> another child was already busy servicing *that same IP* ?
> (note: the real IP is in the header in a backend setup so it
> is not possible to dig it out across children without
> creating another bit of shared memory or using the filesystem?).
>
> I'm still finding existing throttle modules do not pickup and
> block parallel or fast request streams fast enough .. ok there are
> no massive outages but 10 seconds of delay for everyone because
> all demons are busy servicing the same guy before we can conclude
> we're being flooded is not really great.. modperl driven forums
> (or PHP ones even) can be killed this way since there are so
> many links on one page, all active..
>
> thanks for any thoughts on this.
>
> -Justin
>
