Sounds like you were hit by Slowloris (http://ha.ckers.org/slowloris/ ). AFAIK there is no way to defend against it with Apache, other than using some external service or a reverse proxy that is not vulnerable to it. Perhaps this might help: http://www.funtoo.org/en/security/slowloris/
Also, it was not necessarily distributed since the nature of attack could allow single machine used to attack. What do your logs say, how many IPs were involved? Vlad On 04/26/10 05:36, cd34 wrote: > After dealing with a DDOS today on a site (non-pylons, but the issue > is still the same), it became very evident that there are very few > hooks in apache that allow you to drop a connection where it needs to > be dropped. mod_security/mod_evasive don't hook apache early enough > in the request phase to actually do what is needed. > > While fail2ban will work, IF you can identify the traffic, it does > require the request to hit the logs. The problem with this attack was > that the requests never hit the logs, but, apache was dispatching to > the child waiting for the request to complete. I guess I could have > run mod_forensic to see what the connections were, but, it wasn't > compiled for this machine's architecture. > > iptables --recent support would have worked, but, the server was much > too busy for that to work. In the end, I had to move over to nginx > and use their limit_conn rule to prevent the attacks from overloading > the machine. While I generally loathe throttling to control a DDOS, > it did seem to handle it. Any load balancer may have prevented the > traffic from hitting the origin server. Using varnish probably would > have worked, but, would have required backend changes due to the IP > address always showing the varnish server's IP. mod_rpaf would allow > that to be remedied, but, Varnish changes things in mysterious ways at > times. > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
