How to track DoS attack with Apache?

ajayan · 07-21-2011, 03:06 AM

Hi All,

Last day i have faced an attack on Apache/2.2.14 (Ubuntu).A user shoots 53 hits within 20 seconds from same IP and as a result db connections to MySQL increased.

a.) Is there any way in Apache to block these type of requests

b.) how can we trace when this type of attack happened to Apache.

Also I have noticed an entry in Apache error log during attack period

Error Log

[Wed Jul 20 20:28:49 2011] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 753 for worker http://localhost:8294/
[Wed Jul 20 20:28:49 2011] [debug] proxy_util.c(1825): proxy: worker http://localhost:8294/ already initialized
[Wed Jul 20 20:28:49 2011] [debug] proxy_util.c(1902): proxy: initialized worker 0 in child 753 for (localhost) min=0 max=25 smax=25

ACCESS LOG

PUBLIC IP. LOCALIP - - [20/Jul/2011:20:28:32 -0400] "POST /test/submitForm HTTP/1.1" 200 5133 10274744 "https://www.mydomain.com/test/submitForm" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbFWV5/5.12.2.16749)

It would be great if someone can advise how to trace these type of attacks

Thanks
Ajayan

rch · 07-21-2011, 10:43 AM

Have you tried mod_evasive? AFAIK, this is the only built-in tool that you can use to handle ddos. I must tell you from personal experience that almost any defense is useless - as you need to keep port 80 open- and you need to make sure that the website is responsive. Best of lucks.

chrism01 · 07-21-2011, 07:17 PM

Fail2ban is a popular tool to deal with this sort of problem http://linux.die.net/man/8/fail2ban

unSpawn · 07-21-2011, 07:33 PM

Quote:

Originally Posted by ajayan

A user shoots 53 hits within 20 seconds from same IP

As long as requests return 3nn or 2nn request responses this behaviour strictly speaking may or may not be perceived as a DoS depending on visitor traffic averages (search for "slashdot effect"). Limiting traffic does, or should, not start at the application layer but using the firewall. See 'man iptables': limit, hashlimit, recent. Next to web server bandwidth and filtering modules tweaking connection sysctls, using a (reverse?) proxy and lowering the amount of worker threads may be of use, albeit limited as a "true" DoS or DDoS will require you to talk to your provider. Also see Cyber Security Tip ST04-015: Understanding Denial-of-Service Attacks (thanks to unixfool, I lost that link).

curtisa · 07-23-2011, 02:18 AM

I'd say fail2ban is your answer. It's excellent for this situation.

unSpawn · 07-23-2011, 04:06 AM

Quote:

Originally Posted by curtisa

It's excellent for this situation.

Since you say this is "excellent" please provide the right regex with which to filter this type of request (bonus points if you elaborate why you favor application level blocking).

ajayan · 07-23-2011, 06:13 AM

Quote:

Originally Posted by unSpawn

Since you say this is "excellent" please provide the right regex with which to filter this type of request (bonus points if you elaborate why you favor application level blocking).

curtisa,

It would be great if you can provide the right regex to filter this.

chrism01,

I have gone through fail2ban Docs.But i couldn't find an better answer as my requirement is to ban IP address on the basis of number request in a period of time ie, in a minute, or 30 seconds etc and whether its 200 OK response or not.Most of the fail2ban docs are based on error response/login failure.

Any suggestions? Thanks for You help

Ajayan

unSpawn · 07-23-2011, 06:19 AM

Quote:

Originally Posted by ajayan

Any suggestions?

How about reading my initial response again?