After dealing with a DDOS today on a site (non-pylons, but the issue is still the same), it became very evident that there are very few hooks in apache that allow you to drop a connection where it needs to be dropped. mod_security/mod_evasive don't hook apache early enough in the request phase to actually do what is needed.
While fail2ban will work, IF you can identify the traffic, it does require the request to hit the logs. The problem with this attack was that the requests never hit the logs, but, apache was dispatching to the child waiting for the request to complete. I guess I could have run mod_forensic to see what the connections were, but, it wasn't compiled for this machine's architecture. iptables --recent support would have worked, but, the server was much too busy for that to work. In the end, I had to move over to nginx and use their limit_conn rule to prevent the attacks from overloading the machine. While I generally loathe throttling to control a DDOS, it did seem to handle it. Any load balancer may have prevented the traffic from hitting the origin server. Using varnish probably would have worked, but, would have required backend changes due to the IP address always showing the varnish server's IP. mod_rpaf would allow that to be remedied, but, Varnish changes things in mysterious ways at times. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
