Toni Mueller wrote:
Hi,
On Tue, 20.02.2007 at 12:33:17 -0500, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
* Use a non-forking server.
???
I've been hit by guys who simply exhausted the maximum number of
processes I configured with Apache. What limits do you usually have?
I am still very conservative and could increase it more, but choose not to.
# sysctl kern.maxproc
kern.maxproc=1024
Never needed to increase more then that after all protections are in
place. I use 768 limit for apache, need to change the default and
recompile, but real easy to do.
This was effectively a DoS against all other users. Whether
intentionally or by accident, I can't say right now, but all
non-forking servers I'm aware of have a much slower memory consumption
rate.
Memory consumption is not really max process, nor forking limits, unless
you run very limited memory servers.
Also, one situation describe before as well is that DDoS send lots of
connections to your server, but they do not process the content of the
reply, meaning they don't call all the images, etc that a regular
requests would do. Example one request from IE on a site can results in
20 stream back from the server as one attack still get one stream in
reply. So, with proper limits on connection and blocking in place, you
are good to go.
May be your KeepAliveTimeout in httpd.conf is to high. I reduce mine
from the default one. This free more forking process sooner.
You can also change the value of:
MinSpareServers
MaxSpareServers
To fit your server needs and reduce the time spend in start/stop new
one. All depend on your traffic.
PF can handle rate limit pretty well, just increase your table size if
you reach the limit of them and be aggressive optimization:
Yes. I was already using it with good success.
May be looking and spending some time to optimize your PF rules under
heavy load might be well spend time.
Daniel put a very good guideline on this:
http://www.undeadly.org/cgi?action=article&sid=20060927091645
Also for interest, may be these two might be interesting to read as well
for informations:
http://www.undeadly.org/cgi?action=article&sid=20060929080943
http://www.undeadly.org/cgi?action=article&sid=20060928081238
You can deny request based on IE versions if need be from the stock
apache. All my previously describe time limiting and redirect is only
affecting the IE version and anything NOT IE pass without delay or redirect.
I don't want to generally deny, or slow down, IE users of the site (I
can't), but only want to deny them range requests. I didn't find a knob
in Apache to do this. If anyone else does, I'm still interested.
May be I am thick here, I still don't understand what you are after
here. You can block access with:
Order Allow,Deny
Allow from all
Deny from w.x.y.z/xx
And with something like:
BrowserMatchNoCase "\MSIE 5.5" browser=MSIE_5.5
and SetEnvIf, you can do clever things.
I didn't put a lots of thoughts in the last piece here as I use that for
blocking some specific traffic and the like, but I don't see why it
woudln't be possible.
Then I use something like:
RewriteRule <Your rule here> http://%{REMOTE_ADDR}/ [L,E=nolog:1]
But that needs to be specific for each setup you want to use.
I would need to spend time thinking about it, but I would think it's
possible to do. Not easy, but possible. Some reading is needed.
Best,
Daniel
