Apache DoS Module Patch (WAS RE: DOS ATTACK)
From: Jonathan A. Zdziarski (jonathan@networkdweebs.com)Date: 10/29/02
- Previous message: Jose Nazario: "RE: DOS ATTACK"
- In reply to: Hugo van der Kooij: "Re: DOS ATTACK"
- Next in thread: Jonathan A. Zdziarski: "RE: Apache DoS Module Patch (WAS RE: DOS ATTACK)"
- Next in thread: Muhammad Faisal Rauf Danka: "RE: DOS ATTACK"
- Reply: Jonathan A. Zdziarski: "RE: Apache DoS Module Patch (WAS RE: DOS ATTACK)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jonathan A. Zdziarski" <jonathan@networkdweebs.com> To: "'Hunt, Jim'" <Jim.Hunt@nwsc.k12.in.us> Date: Mon, 28 Oct 2002 23:41:30 -0500
Attached is my first attempt to see how difficult it would be to write
an anti-DoS patch for Apache (I did a few searches and didn't see one
that already existed). The enclosed files modify mod_access.c (Apache
1.3.26) so that each listener keeps an internal table of ip addresses
and urls requested; no listener should service more than 1 or 2 requests
for the same page by the same ip address without spitting out a 403. It
doesn't seem to use much memory at all, but I suspect on heavily loaded
systems it may use more.
After some testing, it was apparent this didn't seem to interfere with
valid user traffic at all (even if the user refreshed quickly), but was
very successful at beating down a script attack.
Since this works on a per-listener basis, it automatically purges itself
when the listener recycles. Each listener keeps its own record, so
while it may not reject the first 10 or 20 requests, in the event of a
real DoS (e.g. several hundred requests), it appears works quite well.
Anyway, I'd be interested in any feedback about this; if it's useful and
there's not something like it already, I'd be glad to write it into a
"real" apache module rather than hacking mod_access up.
Instructions:
Configure first...then extract into src/modules/standard. This will
replace mod_access.c and extract npt.h, npt.c, and Makefile.patch. The
npt files are some basic dynamic hash array functions and the
Makefile.patch should be applied to add npt.o to the OBJS in the
Makefile.
If you have a heavily loaded web server, you may consider increasing the
hash table size (search for 'npt_create' in mod_access.c)
Let me know if this is useful to anyone.
- application/x-gzip attachment: dospatch.tar.gz
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jose Nazario: "RE: DOS ATTACK"
- In reply to: Hugo van der Kooij: "Re: DOS ATTACK"
- Next in thread: Jonathan A. Zdziarski: "RE: Apache DoS Module Patch (WAS RE: DOS ATTACK)"
- Next in thread: Muhammad Faisal Rauf Danka: "RE: DOS ATTACK"
- Reply: Jonathan A. Zdziarski: "RE: Apache DoS Module Patch (WAS RE: DOS ATTACK)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
