Matt Mossholder on 19 Sep 2012 05:47:32 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Simple protection against DOS attack


On Wed, Sep 19, 2012 at 8:28 AM, Tom Haines <hainest@gmail.com> wrote:
I had a situation yesterday where a student flooded our Moodle cluster with enough requests in a short enough period of time to bring the service to it's knees for about four minutes. Looking back at the logs , I see that it was the same page request over and over again. I'd like to put something lightweight in place to protect against these sorts of attacks. We don't need the protection against a sophisticated DDOS attack, but just something to protect against simple attacks like this.

The cluster setup consists of two Cent 5 boxes (using heartbeat for HA) running ldirectord to balance requests back to 6 Ubuntu boxes running lighttpd/php5-fpm to serve out the Moodle PHP pages. The load balancers are very underutilized, and I'd like to put software upstream of ldirectord on those servers to protect against DOS.

My first thought was Apache running mod_security and then proxying the requests to ldirectord, but this would require a lot of overhead. Also running mod_security on the individual nodes isn't really an option because they run lighttpd instead of Apache.

Any thoughts on this?

You could try mod_evasive, instead of mod_security...Âhttp://www.zdziarski.com/blog/?page_id=442Â.

You could also use iptables:

IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
# Max connections per IP
BLOCKCOUNT=10
# ....
# ..
# default action can be DROP or REJECTÂ
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# ....
# ..

(stolen from here:Âhttp://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html )

 Â --Matt


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug