Tom Haines on 19 Sep 2012 05:29:15 -0700
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] Simple protection against DOS attack
- From: Tom Haines <firstname.lastname@example.org>
- To: "Philadelphia Linux User's Group Discussion List" <email@example.com>
- Subject: [PLUG] Simple protection against DOS attack
- Date: Wed, 19 Sep 2012 08:28:57 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=KGJcF27odABKHVCpyfqvEidGK6JiNFZFVj41Z3viokE=; b=AvW1hT+Ibmk4twwc5seF31/s2f7iAawHX5bbLCObv1VQgiHULUreBE5eQHy3Us8XEb rnQuepi70Mj9anVktK6HOJVww991Aoj5/BvcWOKXMOupoYLQQj3xJKNouGEymjyKniOr A30MWFQL63khcZGhgVvmGujF9SMvdQ5ocfXepQv9ZnQpTYzcUgYZmPT8ze13k1MMT18G bQXAQ5e/IQ7SmMHBXZyFkxv+57CUNFX8T0tP+EpIS2VX63sKuqcjvcL22Do/OB15znyh NsagQVsbZs7a2ftwNBn7b9oNg9LfLsBX10QDyY/6V05odj8dUFgAEU3jQEW92mFpO9C0 p+ow==
- Reply-to: Philadelphia Linux User's Group Discussion List <firstname.lastname@example.org>
- Sender: email@example.com
I had a situation yesterday where a student flooded our Moodle cluster with enough requests in a short enough period of time to bring the service to it's knees for about four minutes. Looking back at the logs , I see that it was the same page request over and over again. I'd like to put something lightweight in place to protect against these sorts of attacks. We don't need the protection against a sophisticated DDOS attack, but just something to protect against simple attacks like this.
The cluster setup consists of two Cent 5 boxes (using heartbeat for HA) running ldirectord to balance requests back to 6 Ubuntu boxes running lighttpd/php5-fpm to serve out the Moodle PHP pages. The load balancers are very underutilized, and I'd like to put software upstream of ldirectord on those servers to protect against DOS.
My first thought was Apache running mod_security and then proxying the requests to ldirectord, but this would require a lot of overhead. Also running mod_security on the individual nodes isn't really an option because they run lighttpd instead of Apache.
Any thoughts on this?
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug