[SLL] apache DOS vulnerability and iptables
Andrew Sweger
andrew at sweger.net
Sun Jun 21 15:03:49 PDT 2009
On Sat, 20 Jun 2009, Brian Lane wrote:
> I've used this to block port 22 scan attempts before:
>
> # Drop connections if > 20 received in 60 seconds
> - -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW \
> - -m recent --set --name SSH
> - -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW \
> - -m recent --update --seconds 60 --hitcount 20 --rttl --name SSH -j DROP
I'm currently using a combination of:
-A INPUT -p tcp --dport 80 --syn -m connlimit --connlimit-above 50 -j REJECT
and setting apache's TimeOut to 15 seconds[1]. But I'm concerned that any
iptables solution could potentially cause problems for my business
customers sitting behind a NAT gateway when they pile on in the morning.
A better solution appears to be using a load balancer of some type. I've
heard Perlbal has been effective in coping with this "attack".
[1] - note the caveat at http://httpd.apache.org/docs/2.2/mod/core.html#timeout
--
Andrew B. Sweger -- The great thing about multitasking is that several
things can go wrong at once.
More information about the linux-list
mailing list