Kanstantin Reznichak wrote:
Hello,
Thank you for reply. Unfortunately, mod-limitipconn seems to act too late.
After installing and enabling it:
<Location />
MaxConnPerIP 15
</Location>
Netstat shows:
# netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3930 SYN_RECV
tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3316 SYN_RECV
tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4147 SYN_RECV
tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3854 SYN_RECV
...
If I'm reading the netstat results correctly, it looks like the
connections are still in the very early stages of initialization (maybe
they haven't even reached apache yet). It resembles a synflood attack, I
believe, but I could be wrong. If that truly is the case, that sort of
thing is handled by the firewall.
I personally have not have any problems with mod_limitipconn properly
restricting the number of connections from a single IP address. Keep in
mind that is it context specific too (i.e. if the directive is defined
inside a VirtualHost, it only applies to that VirtualHost). Perhaps it's
just not being applied to the context where you think it should be
applied. Do the entries show up in your apache log at all?
Now that I think about it a little more, are you using your test script
to check this? The test script didn't actually send any HTTP commands,
did it? If not, then that is probably the problem. I think
mod_limitipconn won't actually kick in until you try to make the
request. It will then return a 503 error to the browser (indicating the
service is unavailable).
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
