IPTables block multiple requests to port 80 query

welshdemon · 02-15-2014, 07:33 AM

If I have apache keepalive off. Does this open a new httpd process for every request on the server? Pages on my site makes about 29 GETS for the page content. So does this mean 30 HTTPD process open and close very quickly (on different sockets) to serve this content?

My reason for asking. I have been trying to set up ipables rules but am struggling. My site has been under some sort of DDOS attack on many occasions.

I would like to block more than 60 connection requests in 10 seconds. (this allows for up to 2 pages to be loaded concurrently)

I have added mod_evasive and tried fail2ban, even the ddos deflate http://deflate.medialayer.com/, sure they ban ips eventually but it has already got to application level before these scan the logs and finally (sometimes) block the IP.
I would rather stop this at network level before it even gets to apache as it is really slowing my site down.

So Im wondering, with keepalive ON, would this would mean the 30 requests for page content would go through the same socket, meaning iptables couldnt detect how much is being requested?

Or am I talking rubbish...

unSpawn · 02-15-2014, 09:13 AM

Quote:

Originally Posted by welshdemon

If I have apache keepalive off. Does this open a new httpd process for every request on the server? Pages on my site makes about 29 GETS for the page content. So does this mean 30 HTTPD process open and close very quickly (on different sockets) to serve this content?

Here "keepalive" means "multiple requests over a single connection" and that was something you could have checked yourself: http://en.wikipedia.org/wiki/HTTP_persistent_connection and esp. the references and external links.

Quote:

Originally Posted by welshdemon

My reason for asking. ..() My site has been under some sort of DDOS attack on many occasions.

For what reason? Do you host content of a nature that could cause that? Or more simply phrased: did you perchance piss somebody off?
What's the nature of the DoS (if any)? (Post log excerpts if unsure?)

Quote:

Originally Posted by welshdemon

I would like to block more than 60 connection requests in 10 seconds.

Sure you can but I'd rather see "evidence" of this DoS first if you don't mind.

welshdemon · 02-15-2014, 02:25 PM

Well I did check myself, for many, many hours, maybe days of reading. Thats why Im asking, to clear things up. Its very confusing as there are too many variables.

The server just gets attacked every now and then. As far as I know I haven't annoyed anyone. It's not a dodgy site. I think they just scan networks of VPS's to try and find hosts to practise hacking on.

Feb 13 20:33:38 ynys mod_evasive[24843]: Blacklisting address 88.23.35.237: possible DoS attack.
Feb 13 20:36:10 ynys mod_evasive[24893]: Blacklisting address 81.45.53.36: possible DoS attack.
Feb 13 20:36:56 ynys mod_evasive[24944]: Blacklisting address 90.8.55.21: possible DoS attack.
Feb 13 20:37:30 ynys mod_evasive[24967]: Blacklisting address 79.200.44.91: possible DoS attack.
Feb 13 20:39:46 ynys mod_evasive[25046]: Blacklisting address 77.245.70.50: possible DoS attack.
Feb 13 20:40:10 ynys mod_evasive[25023]: Blacklisting address 2.137.98.34: possible DoS attack.
Feb 13 20:42:38 ynys mod_evasive[25172]: Blacklisting address 93.104.112.17: possible DoS attack.
Feb 13 20:43:07 ynys mod_evasive[25190]: Blacklisting address 2.6.216.3: possible DoS attack.
Feb 13 20:44:39 ynys mod_evasive[25233]: Blacklisting address 86.67.215.246: possible DoS attack.
Feb 13 20:46:46 ynys mod_evasive[25355]: Blacklisting address 79.247.56.6: possible DoS attack.
Feb 13 20:49:27 ynys mod_evasive[25418]: Blacklisting address 79.229.100.78: possible DoS attack.
Feb 13 20:50:44 ynys mod_evasive[25416]: Blacklisting address 178.139.101.198: possible DoS attack.
Feb 13 20:50:46 ynys mod_evasive[25416]: Blacklisting address 86.18.148.154: possible DoS attack.
Feb 13 20:52:08 ynys mod_evasive[25499]: Blacklisting address 109.78.215.163: possible DoS attack.
Feb 13 20:55:56 ynys mod_evasive[25594]: Blacklisting address 87.218.87.26: possible DoS attack.
Feb 13 20:57:50 ynys mod_evasive[25717]: Blacklisting address 31.153.0.204: possible DoS attack.
Feb 13 21:00:31 ynys mod_evasive[25801]: Blacklisting address 109.154.251.154: possible DoS attack.
Feb 13 21:02:04 ynys mod_evasive[25982]: Blacklisting address 80.141.244.238: possible DoS attack.
Feb 13 21:03:39 ynys mod_evasive[26044]: Blacklisting address 93.147.185.219: possible DoS attack.
Feb 13 21:04:05 ynys mod_evasive[26080]: Blacklisting address 79.248.34.232: possible DoS attack.
Feb 13 21:04:14 ynys mod_evasive[26086]: Blacklisting address 195.166.201.97: possible DoS attack.
Feb 13 21:04:50 ynys mod_evasive[26090]: Blacklisting address 86.206.147.251: possible DoS attack.
Feb 13 21:06:23 ynys mod_evasive[26163]: Blacklisting address 92.228.202.123: possible DoS attack.
Feb 13 21:08:01 ynys mod_evasive[26237]: Blacklisting address 79.130.32.250: possible DoS attack.
Feb 13 21:09:34 ynys mod_evasive[26266]: Blacklisting address 79.66.114.30: possible DoS attack.
Feb 13 21:12:56 ynys mod_evasive[26411]: Blacklisting address 178.128.14.207: possible DoS attack.
Feb 13 21:13:15 ynys mod_evasive[26462]: Blacklisting address 46.59.183.41: possible DoS attack.
Feb 13 21:13:54 ynys mod_evasive[26466]: Blacklisting address 77.189.143.189: possible DoS attack.
Feb 13 21:15:19 ynys mod_evasive[26497]: Blacklisting address 88.67.196.200: possible DoS attack.
Feb 13 21:18:01 ynys mod_evasive[26581]: Blacklisting address 81.45.52.94: possible DoS attack.
Feb 13 21:22:16 ynys mod_evasive[26818]: Blacklisting address 217.217.70.19: possible DoS attack.
Feb 13 21:26:07 ynys mod_evasive[26939]: Blacklisting address 217.226.11.106: possible DoS attack.
Feb 13 21:28:20 ynys mod_evasive[27018]: Blacklisting address 86.205.165.144: possible DoS attack.
Feb 13 21:29:30 ynys mod_evasive[27038]: Blacklisting address 178.201.168.58: possible DoS attack.
Feb 13 21:33:09 ynys mod_evasive[27197]: Blacklisting address 2.237.225.25: possible DoS attack.
Feb 13 21:36:46 ynys mod_evasive[27297]: Blacklisting address 81.151.228.4: possible DoS attack.
Feb 13 21:39:16 ynys mod_evasive[27383]: Blacklisting address 188.81.7.10: possible DoS attack.
Feb 13 21:41:38 ynys mod_evasive[27457]: Blacklisting address 85.210.53.131: possible DoS attack.
Feb 13 21:43:32 ynys mod_evasive[27493]: Blacklisting address 85.243.0.89: possible DoS attack.
Feb 13 21:43:53 ynys mod_evasive[27536]: Blacklisting address 85.244.169.228: possible DoS attack.
Feb 13 21:45:17 ynys mod_evasive[27552]: Blacklisting address 178.156.38.238: possible DoS attack.
Feb 13 21:46:19 ynys mod_evasive[27554]: Blacklisting address 87.161.84.133: possible DoS attack.
Feb 13 21:46:53 ynys mod_evasive[27570]: Blacklisting address 86.45.88.210: possible DoS attack.

unSpawn · 02-16-2014, 05:18 AM

Sorry but that log file doesn't tell us anything about the reasons why it black listed those IP addresses because you didn't include access_log details for one or more IP addresses and you didn't include your mod_evasive configuration settings. Other than that maybe read up on the iptables limit, recent, connlimit and hashlimit extensions?