Yes, that's it. My current experience with Linux iptables was not enough for define reliable rules against synflood'ing. All my other servers are either OpenBSD itself or located behind OpenBSD's PF which provides effective flooding protection.
The problem was solved by adding appropriate rules to iptables based on following tutorial: http://www.debian-administration.org/articles/187 I have also followed your advice and increased Apache connection limits. Thank you! -----Ursprüngliche Nachricht----- Von: Sean Conner [mailto:[email protected]] Gesendet: Dienstag, 14. April 2009 22:14 An: [email protected] Betreff: Re: [us...@httpd] Connection flood: how to protect? It was thus said that the Great Kanstantin Reznichak once stated: > Hello, > > Thank you for reply. Unfortunately, mod-limitipconn seems to act too late. > After installing and enabling it: > <Location /> > MaxConnPerIP 15 > </Location> > > Netstat shows: > # netstat -atn > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN > tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3930 SYN_RECV > tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3316 SYN_RECV > tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):4147 SYN_RECV > tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):3854 SYN_RECV > tcp 0 0 (MY-SERVER-IP):80 (ATTACKER-IP):1500 SYN_RECV That's a SYN flood, and I've been on the receiving end of those, and I've wrote about what I did to reduce the problem under Linux. http://boston.conman.org/2005/08/11.2 (summary of the link below) http://boston.conman.org/2004/01/04.2 Hopefully, some of that is helpful to you. -spc --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected]
