On 10/10/06, guy keren <[EMAIL PROTECTED]> wrote:
it is possible that you have the user-space shared library (what you sawunder /lib/iptables/...), but you lack the matching kernel module.Yes you are right. This netfilter module is missing from the standard kernel image on my system (
linux-image-2
On Tue, 10 Oct 2006, Amos Shapira wrote:
> Date: Tue, 10 Oct 2006 22:25:05 +1000
> From: Amos Shapira <[EMAIL PROTECTED]>
> To: linux-il
> Subject: Re: Limiting the number of simultaneous HTTP connection per IP
>
> On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]>
On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED]:~# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT
iptables: No chain/target/match by that nameTrying this command on my Debian Etch I get: $ sudo iptables -A INPUT -p tcp --dport 80 -m connlimit -
On 10/10/06, Amos Shapira <[EMAIL PROTECTED]> wrote:
On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]
> wrote:
On 10/10/06, Amos Shapira <[EMAIL PROTECTED]> wrote:
On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]> wrote:
I'm looking for a way to prevent such attack in a higher level, before it even rea
(resending to list)On 10/10/06, Amos Shapira <[EMAIL PROTECTED]> wrote:
On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]> wrote:
I'm looking for a way to prevent such attack in a higher level, before it even reaches Apache. I found a iptables module named connlimit/iplimit, that is supposed to do just
You can do that on netfilter using iptables but i suggest caution.
You see, there are many organizations that uses NAT or MASQUERADING
so, to netfilter it will look like you are getting flooded.
What you actually need is to identify somehow that some specific client
opened the connection and limit
Sagi Bashari wrote:
> I'm looking for a way to prevent such attack in a higher level, before
> it even reaches Apache. I found a iptables module named
> connlimit/iplimit, that is supposed to do just that, but it seems the
> official kernels do not support it and there's a serious lack of
> inform
On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]> wrote:
I'm looking for a way to prevent such attack in a higher level, before it even reaches Apache. I found a iptables module named connlimit/iplimit, that is supposed to do just that, but it seems the official kernels do not support it and there's a
Hi List,We've recentely had trouble with some misbehaved web clients that opened dozens of HTTP connections to our web server, causing it to reach the total connection limit and just hang until they timeout or until the server is restarted.
We're sure that this is not an intentional DoS attack and
