LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   http dos attack (http://www.linuxquestions.org/questions/linux-security-4/http-dos-attack-933193/)

packets 03-07-2012 07:35 AM

http dos attack
 
I have a running apache server and I notice that the load of the server is quite HIGH. I just discovered that there are lots of GET query on the access log. It seems there are 5-10 get every seconds and this came from different ip address. I tried to put iptables and put the ff:

Code:

iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

This work but the access on the apache also slows down.

Any suggestions on this brute force attack?

Noway2 03-07-2012 08:44 AM

It looks like from your iptables entries you are using two methods: connection rate limit and syn packet limits. You really should try to find evidence of the exact mechanism being applied so that you can tailor your solution. Based on the idea that these are full fledged GET requests, you might want to consider adding mod_evasive. See the following for a little more information: http://www.zdziarski.com/blog/?page_id=442

packets 03-07-2012 08:46 AM

@Noway2

After researching, I bump to mod_evasive and will install it later.


All times are GMT -5. The time now is 07:29 PM.