LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-21-2011, 04:06 AM   #1
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Rep: Reputation: 16
How to track DoS attack with Apache?


Hi All,

Last day i have faced an attack on Apache/2.2.14 (Ubuntu).A user shoots 53 hits within 20 seconds from same IP and as a result db connections to MySQL increased.

a.) Is there any way in Apache to block these type of requests

b.) how can we trace when this type of attack happened to Apache.

Also I have noticed an entry in Apache error log during attack period

Error Log

[Wed Jul 20 20:28:49 2011] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 753 for worker http://localhost:8294/
[Wed Jul 20 20:28:49 2011] [debug] proxy_util.c(1825): proxy: worker http://localhost:8294/ already initialized
[Wed Jul 20 20:28:49 2011] [debug] proxy_util.c(1902): proxy: initialized worker 0 in child 753 for (localhost) min=0 max=25 smax=25

ACCESS LOG

PUBLIC IP. LOCALIP - - [20/Jul/2011:20:28:32 -0400] "POST /test/submitForm HTTP/1.1" 200 5133 10274744 "https://www.mydomain.com/test/submitForm" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbFWV5/5.12.2.16749)


It would be great if someone can advise how to trace these type of attacks

Thanks
Ajayan
 
Old 07-21-2011, 11:43 AM   #2
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Rep: Reputation: 48
Have you tried mod_evasive? AFAIK, this is the only built-in tool that you can use to handle ddos. I must tell you from personal experience that almost any defense is useless - as you need to keep port 80 open- and you need to make sure that the website is responsive. Best of lucks.
 
Old 07-21-2011, 08:17 PM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
Fail2ban is a popular tool to deal with this sort of problem http://linux.die.net/man/8/fail2ban
 
1 members found this post helpful.
Old 07-21-2011, 08:33 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by ajayan View Post
A user shoots 53 hits within 20 seconds from same IP
As long as requests return 3nn or 2nn request responses this behaviour strictly speaking may or may not be perceived as a DoS depending on visitor traffic averages (search for "slashdot effect"). Limiting traffic does, or should, not start at the application layer but using the firewall. See 'man iptables': limit, hashlimit, recent. Next to web server bandwidth and filtering modules tweaking connection sysctls, using a (reverse?) proxy and lowering the amount of worker threads may be of use, albeit limited as a "true" DoS or DDoS will require you to talk to your provider. Also see Cyber Security Tip ST04-015: Understanding Denial-of-Service Attacks (thanks to unixfool, I lost that link).
 
Old 07-23-2011, 03:18 AM   #5
curtisa
Member
 
Registered: Oct 2005
Location: Switzerland
Distribution: Ubuntu
Posts: 33

Rep: Reputation: 16
I'd say fail2ban is your answer. It's excellent for this situation.
 
Old 07-23-2011, 05:06 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by curtisa View Post
It's excellent for this situation.
Since you say this is "excellent" please provide the right regex with which to filter this type of request (bonus points if you elaborate why you favor application level blocking).
 
Old 07-23-2011, 07:13 AM   #7
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by unSpawn View Post
Since you say this is "excellent" please provide the right regex with which to filter this type of request (bonus points if you elaborate why you favor application level blocking).


curtisa,

It would be great if you can provide the right regex to filter this.

chrism01,

I have gone through fail2ban Docs.But i couldn't find an better answer as my requirement is to ban IP address on the basis of number request in a period of time ie, in a minute, or 30 seconds etc and whether its 200 OK response or not.Most of the fail2ban docs are based on error response/login failure.

Any suggestions? Thanks for You help

Ajayan
 
Old 07-23-2011, 07:19 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by ajayan View Post
Any suggestions?
How about reading my initial response again?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache / Squid - DoS attack tool in the wild.. farslayer Linux - Security 5 06-21-2009 01:26 AM
DoS attack? port 22 templeton Linux - Security 1 11-11-2008 04:48 PM
is this a Dos Attack?? xtremeclones Linux - Security 8 09-27-2006 02:40 AM
detecting a DOS attack ignus Linux - Security 4 07-29-2004 03:17 PM
Are we under DOS attack? sarmadys Linux - Security 2 02-06-2002 10:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration