New Apache Module For Fending Off DoS Attacks

← Back to Stories (view on slashdot.org)

New Apache Module For Fending Off DoS Attacks

Posted by Hemos on Wednesday October 30, 2002 @12:36AM from the beath-them-down dept.

Network Dweebs Corporation writes "A new Apache DoS mod, called mod_dosevasive (short for dos evasive maneuvers) is now available for Apache 1.3. This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second, and helps protect bandwidth and system resources in the event of a single-system or distributed request-based DoS attack. This freely distributable, open-source mod can be found at http://www.networkdweebs.com/stuff/security.html"

8 of 62 comments (clear)

Min score:

Reason:

Sort:

Bandwidth still being used by Green+Light · 2002-10-30 01:02 · Score: 2, Insightful

Handling all of those requests still takes processing time and bandwidth. What is needed is some type of hardware "filter" out front that can recognize a DoS attack and throw packets away.

--
"Send an Instant Karma to me" - Yes
1. Re:Bandwidth still being used by Gadzinka · 2002-10-30 01:27 · Score: 2, Insightful
  
  Problem is, that this aproach doesn't solve any problems, creates new ones and is a great DoS tool in itself.
  
  This is the same problem as with all filters automagically cutting off all requests from given ip/netblock after spotting some abuse.
  
  Think big LAN behind masquerading firewall, or caching proxy for large organization, where one person using it can block access to the site using this automatic defenses.
  
  Funny thing is that this broken-by-design solution is known for years, its flaws are known for years, and yet we see every once in a while another tool using this scheme.
  
  Robert
  
  --
  Bastard Operator From 193.219.28.162
2. Re:Bandwidth still being used by Gadzinka · 2002-10-30 01:39 · Score: 2, Insightful
  (yeah,
  
  write
  
  preview
  
  post
  
  think
  
  reply to you own post
  
  ;)
  
  Think big LAN behind masquerading firewall, or caching proxy for large organization, where one person using it can block access to the site using this automatic defenses.
  
  Or think impostor sending requests with forged source IP.
  
  What? TCP sequence numbers? Impossible to impersonate TCP session?
  
  Think again.
  
  Robert
  --
  Bastard Operator From 193.219.28.162
How clever is it? by cilix · 2002-10-30 01:23 · Score: 2, Insightful

Does anyone know how clever it is? There are several things that I suppose
you could do to make sure that this doesn't get in the way of normal browsing, but still catches DOS attacks. What sort of things does this module include to work intelligently? How tunable is it?

One thing that jumps to mind is that you could have some kind of ratio between images and html which has to be adhered to for any x second period. This would hopefully mean that going to webpages with lots of images (which are all requested really quickly) wouldn't cause any problems. Also, more than one request can be made in a single http session (I think - I don't really know anything about this) so I guess you could make use of that to assess whether the traffic fitted the normal profile of a websurfer for that particular site.

Also, is there anything you can do to ensure that several people behind a NATing firewall all surfing to the same site don't trip the anti-DOS features?

Just thinking while I type really...
1. Re:How clever is it? by The+Whinger · 2002-10-30 02:33 · Score: 4, Insightful
  
  "Also, is there anything you can do to ensure that several people behind a NATing firewall all surfing to the same site don't trip the anti-DOS features?"
  
  Whilst not totally impossible ... the chances of this are SMALL. Same URI same minute ... possible, same URI same second ... rare I guess ...
Too slow/too fast. by perlyking · 2002-10-30 02:04 · Score: 3, Insightful

"This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second."

I can easily request a couple of pages a second, if i'm spawning off links to read in the background. On the other hand wouldnt an automated attack be requesting much faster than 2 per second?

--
no sig.
Re:The "why" behind this.. by HiredMan · 2002-10-30 09:54 · Score: 3, Insightful

One wonders why he didn't just use some javascript to break out of the frame jail, and then explain that users had been redirected to foo because bar was loading foo's pages?

Or break out and redirect to a goatse-esque page or something similar... Since they're viewing his competitor's site it would appear to be his content right?

=tkk

--
Bill Gates - Creationist?!?
Re:A possible problem? by spacefight · 2002-10-31 21:22 · Score: 2, Insightful

if all those frames were for the same page or script.
Some silly designers uses to have multiple frames of a blank frame, eg blank.html. These all would be busted. I do not think that you should use this new module in production, do you?