Solved

Apache Denial of Service

Posted on 2012-04-01
6
259 Views
Last Modified: 2012-06-05
So, we had a bot that was "scraping" content from us, images, videos etc. It was able to use up all available slots on apache therefor causing a DoS. Normally this is pretty simple to prevent using IPtables. The problem is our setup is more complex.


Load Balancer > Proxie > Front-End > Applications > - > Shared Assets


Our front ends do not see the "source ip" because the traffic gets sent from the load balance which then inputs a "x-forward-for" into the http header. Wondering what the best way of limiting connections via the x-forward-for are without adding much overhead, ie: mod_security
0
Comment
Question by:syscrash
  • 3
  • 3
6 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Why not limit it on the proxy?
I do not think you would be able to use redirect, conditional redirect referencing a http header that is being passed by the proxy.
Is the proxy setup as reverse?
0
 
LVL 1

Accepted Solution

by:
syscrash earned 0 total points
Comment Utility
Yes, setup as reverse. The proxy in this case is actually not caching the "shared assets" but some day will be. So, the shared asset(front end) is the issue. It sees the source ip4 address only via the x-forward-for in the http header.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The proxy presumably also has iptables and that is where you can and should block the source ip. Otherwise you have to go up the routing path to the firewall in front of the loadbalancer if any, or up to the router etc.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:syscrash
Comment Utility
Well it would have to be done at the perimeter, which is one option. Any major side affects that anyone can think of? My thought is to limit tcp traffic to port 80 and 8080 something like 50 connections per ip or similar something high enough to not get false positives.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Your apache config allows per Clint sequential requests? I.e. single connection retrieves multiple page/objects?

You could configure apache to proxy the tomcat such that access to port 8080 will not be necessary.
http://tomcat.apache.org/connectors-doc-archive/jk2/jk/workershowto.html
Depending on where you are you might limit proxy servers that are common in some countries/regions.
0
 
LVL 1

Author Closing Comment

by:syscrash
Comment Utility
Used reverse proxy setup (squid) not as vulnerable to slowloris types of attacks.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now