Hi List,
We've recentely had trouble with some misbehaved web clients that opened dozens of HTTP connections to our web server, causing it to reach the total connection limit and just hang until they timeout or until the server is restarted.
We're sure that this is not an intentional DoS attack and these clients will probably be fixed, but I would like to prevent the possibility of such attacks in the future, intentional or otherwise.
I managed to replicate such attack against our server by running a trivial script on my workstation:
for i in `seq 100`; do (nc HOST 80 &); done
Our servers are running Apache/2.0.54 on Debian Sarge.
There are many Apache modules that aim to solve such problems. I've tested a few, and they all seem to not prevent it completely. These modules wait until the client sends a complete request and only then check if it should be blocked, serving Apache error page. They don't take any action if the client just opens a TCP connection and leaves it hanging, for example.
I'm looking for a way to prevent such attack in a higher level, before it even reaches Apache. I found a iptables module named connlimit/iplimit, that is supposed to do just that, but it seems the official kernels do not support it and there's a serious lack of information about it.
I guess I'm not the only one who experienced such problems and there must be a better known solutions.
Please advice,
Sagi
- Limiting the number of simultaneous HTTP connection per IP Sagi Bashari
- Re: Limiting the number of simultaneous HTTP connecti... Amos Shapira
- Re: Limiting the number of simultaneous HTTP conn... Sagi Bashari
- Re: Limiting the number of simultaneous HTTP conn... Sagi Bashari
- Re: Limiting the number of simultaneous HTTP ... Amos Shapira
- Re: Limiting the number of simultaneous H... guy keren
- Re: Limiting the number of simultane... Amos Shapira
- Re: Limiting the number of simultaneous HTTP connecti... Shachar Shemesh
- Re: Limiting the number of simultaneous HTTP connecti... Tzahi Fadida
