[TOOL] mod_dosevasive, Apache Evasive Maneuvers Module

From: SecuriTeam (support_at_securiteam.com)
Date: 09/03/03

  • Next message: SecuriTeam: "[NT] Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution" 
    To: list@securiteam.com
Date: 3 Sep 2003 10:15:10 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      mod_dosevasive, Apache Evasive Maneuvers Module
    ------------------------------------------------------------------------

    DETAILS

     <http://www.nuclearelephant.com/projects/dosevasive/> mod_dosevasive is
    an evasive maneuvers module for Apache to provide evasive action in the
    event of an HTTP DoS or DDoS attack or brute force attack. It is also
    designed to be a detection and network management tool, and can be easily
    configured to talk to ipchains, firewalls, routers, and etcetera.
    mod_dosevasive presently reports abuses via email and syslog facilities.

    Detection is performed by creating an internal dynamic hash table of IP
    Addresses and URIs, and denying any single IP address from any of the
    following:
     * Requesting the same page more than a few times per second
     * Making more than 50 concurrent requests on the same child per second
     * Making any requests while temporarily blacklisted (on a blocking list)

    This method has worked well in both single-server script attacks as well
    as distributed attacks, but just like other evasive tools, is only as
    useful to the point of bandwidth and processor consumption (e.g. the
    amount of bandwidth and processor required to receive/process/respond to
    invalid requests), which is why it's a good idea to integrate this with
    your firewalls and routers for maximum protection.

    This module instantiates for each listener individually and therefore has
    a built-in cleanup mechanism and scaling capabilities. Because of this
    per-child design, legitimate requests are never compromised (even from
    proxies and NAT addresses) but only scripted attacks. Even a user
    repeatedly clicking on 'reload' should not be affected unless they do it
    maliciously. mod_dosevasive is fully tweaked through the Apache
    configuration file, easy to incorporate into your web server, and easy to
    use.

    ADDITIONAL INFORMATION

    The tool can be downloaded from:
    <http://www.nuclearelephant.com/projects/dosevasive/>
    http://www.nuclearelephant.com/projects/dosevasive/

    The information has been provided by
    <mailto:jonathan@nuclearelephant.com> Jonathan A. Zdziarski.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution"

    Relevant Pages