Monday, May 18, 2009

Rate Limiting and DOS protection in Mod-Security


Using Mod-Security we can deploy some Rate Limiting and DOS (denial of service) protection for Apache.

You'll use 2 scripts, one called httpd-guardian, which will use the second script, called blacklist, which will then use either iptables or the OpenBSD Packet Filter (pf) to deny IPs.

You can get both scripts here: http://apache-tools.cvs.sourceforge.net/apache-tools/.

As per the website, "..By default httpd-guardian will defend against clients that send more than 120 requests in a minute, or more than 360 requests in five minutes."

Setting this up was relatively easy. After installing Mod-Security and getting it running, we'll configure as shown below:


Fist, I downloaded httpd-guardian into /etc/apache2/httpd-guardian.

Next, I added this line:

SecGuardianLog "|/etc/apache2/httpd-guardian"

to /etc/apache2/apache2.conf.

I edited httpd-guardian and followed the directions, basically just uncommenting and setting these lines, the first to call the blacklist script:

my $PROTECT_EXEC = "/sbin/blacklist block %s 3600";

and the second lowered the maximum number of requests that one IP address can issue in a one minute window:

my $THRESHOLD_1MIN = 1; # 60 requests in a minute

Note: there is a 5 min threshold as well, but I left that default:
my $THRESHOLD_5MIN = 1; # 360 requests in 5 minutes

I also then downloaded the blacklist script into /sbin/blacklist and since I am using ipchains, I made sure this line was set in the httpd-guardian script:

my $FWCMD = "iptables";

I did as requested by the great instructions in the file itself and created a new RULE set:

iptables -N BLACKLIST
iptables -A INPUT -p tcp --dport 80 -j BLACKLIST

To make sure apache agreed with my setup, I issued the "apache2ctl graceful" command.

Then for testing, I hit the site with a bunch of requests:

#while [ 1 ]; do wget 'http://my-site.com';done

I confirmed 60+ hits (IP was changed to protect the innocent) were established in minute 2009:14:21 in my web server logs:

# grep '1.2.3.4' /var/log/apache2/access.log | grep '17/May/2009:14:21' | wc -l
140

And the next minute later I saw this in syslog:

May 17 14:22:13 blacklist[18464]: Blocking 1.2.3.4/32 for 3600 seconds

I couldn't connect or do a thing from my IP with my browser to my web server - it worked!

5 comments:

voshka said...

Hi
I want to know a bit more info about this ddos protection
wont it have any affect on shared ip address that so many users have connection from that

please contact me

Thanks

voshka said...
This comment has been removed by the author.
ThePlayer said...

It is definitely possible if you were to block an IP address for it have some potential unintended consequences, such as if an attacker has spoofed an IP address, or if one user behaving badly behind a NAT device would thereby cause a denial of service for another well behaving user.

You'll need to make a decision upon whether this would apply well for your situation.

Best,
John

voshka said...

I tried gaurdian but it didn't work for me
i dont know where I mistake
also having shell scripts to block those high connections of ip address has false positive result
also my main concern is how to block bot net denial of service attack

Thanks

voshka said...
This comment has been removed by the author.