Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Apache Module For Fending Off DoS Attacks

Posted by Hemos on from the beath-them-down dept.

Network Dweebs Corporation writes "A new Apache DoS mod, called mod_dosevasive (short for dos evasive maneuvers) is now available for Apache 1.3. This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second, and helps protect bandwidth and system resources in the event of a single-system or distributed request-based DoS attack. This freely distributable, open-source mod can be found at http://www.networkdweebs.com/stuff/security.html"

6 of 62 comments (clear)

  1. The "why" behind this.. by GigsVT · · Score: 5, Informative

    On the securityfocus incidents list, there was a guy that ran a little web site that was being DoSed by a competitor in a strange way. The much higher traffic competitor had a bunch of 1 pixel by 1 pixel frames and each one loaded a copy of the little guy's site. The effect was he was using his own users to DoS his competition.

    People suggessted a javascript popup telling them the truth about what was going on, or an HTTP redirect to a very large file on the big guy's site, but Jonathan A. Zdziarski at the site linked above decided to write this patch as an ad-hoc solution.

    I'd be very careful with this patch in production, as it is ad-hoc and not tested very much at all.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  2. Re:Bandwidth still being used by Anonymous Coward · · Score: 2, Informative

    The website says: "Obviously, this module will not fend off attacks consuming all available bandwidth or more resources than are available to send 403's, but is very successful in typical flood attacks or cgi flood attacks."

    This tool wasn't designed as an end-all be-all solution, it was designed as a starting point for cutting off extraneous requests (so you don't have a few thousand CGIs running on your server, or a few thousand page sends) and to provide a means of detection. You could easily take this code and have it talk to your firewalls to shut down the ip addresses that are being blacklisted. If you don't have decentralized content or at the very least a distributed design, you're going to be DoS'd regardless, but this tool can at least make it take more power to do it.

  3. Re:A possible problem? by Anonymous Coward · · Score: 1, Informative

    It's not based on the # of requests it's based on the # of requests to the same URI. It'll only blacklist you if you request the same file more than twice per second. Once you're blacklisted you can't retrieve ANY files for 10 seconds (or longer if you keep trying to retrieve files) but the only way you're going to get on the blacklist would be if all those frames were for the same page or script.

  4. Misunderstanding about Module by NetworkDweebs · · Score: 5, Informative

    Hi there,

    Just wanted to clear up a bit of misunderstanding about this module. First off, please forgive me for screwing up the story submission. What it *should* have said was "...This new module gives Apache the ability to deny (403) web page retrieval from clients requesting THE SAME FILES more than once or twice per second...". That's the way this tool works; if you request the same file more than once or twice per second, it adds you to a blacklist which prevents you from getting any web pages for 10 seconds; if you try and request more pages, it adds to that 10 seconds.

    Second, I'd like to address the idea that we designed this as the "ultimate solution to DoSes". This tool should help in the event of your average DoS attack, however to be successful in heavy distributed attacks, you'll need to have an infrastructure capable of handling such an attack. A web server can only handle so many 403's before it'll stop servicing valid requests (but the # of 403's it can handle as opposed to web page or script retrievals is greater). It's our hope that anyone serious enough about circumventing a DoS attack will also have a distributed model and decentralized content, along with a network built for resisting DoS attacks.

    This tool is not only useful for providing some initial frontline defense, but can (should) also be adapted to talk directly to a company's border routers or firewalls so that the blacklisted IPs can be handled before any more requests get to the server; e.g. it's a great detection tool for web-based DoS attacks.

    Anyhow, please enjoy the tool, and I'd be very interested in hearing what kind of private adaptations people have made to it to talk to other requipment on the network.

    1. Re:Misunderstanding about Module by NetworkDweebs · · Score: 3, Informative

      Funny you should mention that. We released version 1.3 on the site that now has a separate threshhold for total hits per child per second. The default is 50 objects per child per second. Even if you have a large site and a fast client connection, a browser is going to open up four or more concurrent connections splitting the total number of objects up. Nevertheless if 50 is still too low you can always adjust it.

  5. Re:But thats not the real problem right? by NetworkDweebs · · Score: 2, Informative

    There are many different types of DoS attacks, and the kind you're describing have other methods of circumvention. The type of DoS this module was designed to fight/detect was a request-based attack where a website was flooded with requests to increase bandwidth and system load.