Hi George, I would also check mod_qos for your use case!
Luca Il 01 feb 2016 22:00, "George Genovezos" <george.genove...@copart.com> ha scritto: > Richard, > > I would agree with you that a more elegant solution is required. > Unfortunately the firewall will only block or allow a particular port. > > The correct solution would be to implement an IPS solution in front of a > firewall, but where in the do more with less phase. > > > George Genovezos > Application Security Architect > CISSP, ISSAP, CIFI > > Copart > I-- > > > > > > > > > On 2/1/16, 2:27 PM, "Richard" <lists-apa...@listmail.innovate.net> wrote: > > > > > > >> Date: Monday, February 01, 2016 19:52:51 +0000 > >> From: George Genovezos <george.genove...@copart.com> > >> > >> Hi, > >> > >> I’m hoping someone can help with a problem I’m having. I need > >> a basic Ddos mitigation tool. Basically, either throttling back > >> certain IP addresses or blocking access after too many connections > >> per second. > >> > >> I know mod_evasive did this but the project, to my knowledge is > >> deprecated. > >> > >> So to draw this out, I want a web server to count the number of > >> connection per seconds, and if an IP breaches this limit to either > >> throttle or block the connection. Then I want to use mod_proxy to > >> reverse proxy that clean connection to my web servers. > >> > >> Any feedback would be greatly appreciated. > >> > >> George Genovezos > >> Application Security Architect > >> CISSP, ISSAP, CIFI > >> > >> Copart > > > >In my view, doing this at the web server is rather late in the game. > >If I'm reading the mod_evasive documentation correctly, all it (or > >something similar) does is stops serving content and returns 403s. > >If your content is resource expensive to deliver that will help > >some, but you're still going to get all the requests hitting the web > >server and you're still going to be responding to them. > > > >The better place to address this is at your system's firewall. > >Depending on your system, you likely have firewall tools that can > >provide a more robust solution. > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >For additional commands, e-mail: users-h...@httpd.apache.org > > >
