Hi,
I've had a quick look in the archives, but haven't seen anything that
addresses my question.
I've got a web site behind a pound proxy that's subject to the occasional
DOS attack. I'm looking for a means of limiting the affect of these attacks.
I've got various linux iptables rules applied on the pound server that,
amongst other things limit the number of concurrent connections from any
given source IP address (the iptables connlimit module). These has proved
very effective. What I'd unable to do is control traffic based on the
rate at which requests are issued on a given connection.
Unless I'm missing something, pound doesn't seem to have this
functionality (I'm using 2.4.3 from Denian Lenny).
If that's the case, then here's my wishlist:
o limit requests on a given connection to X/interval. When this is
exceeded the connection should either:
(a) be dropped and a syslog message logged (this would allow
me to catch the log entry and update iptables to blackhole
the source) or
(b) throttled to Y/requests per interval, or delayed by sleeping
for Z seconds between requests. I think this would be a more
effective means of tackling the problem.
o Enforce a maximum session lifetime. Pound doesn't seem to take any
notice of the KeepAlive timers returned by the downstream web servers
(running apache). The ability to limit a particular incoming
connection to N seconds or R requests would force a higher turnover
of connections which would enable the iptables rules I've got in place
to more easily spot abusers.
Does this look feasible? I'd offer to write this up myself, but it's been
a long time since I did any significant coding.
-Ronan
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
