?
Solved

Apache Denial of Service

Posted on 2012-04-01
6
Medium Priority
?
315 Views
Last Modified: 2012-06-05
So, we had a bot that was "scraping" content from us, images, videos etc. It was able to use up all available slots on apache therefor causing a DoS. Normally this is pretty simple to prevent using IPtables. The problem is our setup is more complex.


Load Balancer > Proxie > Front-End > Applications > - > Shared Assets


Our front ends do not see the "source ip" because the traffic gets sent from the load balance which then inputs a "x-forward-for" into the http header. Wondering what the best way of limiting connections via the x-forward-for are without adding much overhead, ie: mod_security
0
Comment
Question by:syscrash
  • 3
  • 3
6 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 37793996
Why not limit it on the proxy?
I do not think you would be able to use redirect, conditional redirect referencing a http header that is being passed by the proxy.
Is the proxy setup as reverse?
0
 
LVL 1

Accepted Solution

by:
syscrash earned 0 total points
ID: 37794013
Yes, setup as reverse. The proxy in this case is actually not caching the "shared assets" but some day will be. So, the shared asset(front end) is the issue. It sees the source ip4 address only via the x-forward-for in the http header.
0
 
LVL 81

Expert Comment

by:arnold
ID: 37794030
The proxy presumably also has iptables and that is where you can and should block the source ip. Otherwise you have to go up the routing path to the firewall in front of the loadbalancer if any, or up to the router etc.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 1

Author Comment

by:syscrash
ID: 37794040
Well it would have to be done at the perimeter, which is one option. Any major side affects that anyone can think of? My thought is to limit tcp traffic to port 80 and 8080 something like 50 connections per ip or similar something high enough to not get false positives.
0
 
LVL 81

Expert Comment

by:arnold
ID: 37794135
Your apache config allows per Clint sequential requests? I.e. single connection retrieves multiple page/objects?

You could configure apache to proxy the tomcat such that access to port 8080 will not be necessary.
http://tomcat.apache.org/connectors-doc-archive/jk2/jk/workershowto.html
Depending on where you are you might limit proxy servers that are common in some countries/regions.
0
 
LVL 1

Author Closing Comment

by:syscrash
ID: 38048012
Used reverse proxy setup (squid) not as vulnerable to slowloris types of attacks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question