From owner-freebsd-questions Tue Sep 26 2:52: 6 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom0-010.telepath.com [216.14.0.10]) by hub.freebsd.org (Postfix) with SMTP id 0A0E937B42C for ; Tue, 26 Sep 2000 02:52:03 -0700 (PDT) Received: (qmail 73411 invoked by uid 100); 26 Sep 2000 09:51:25 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14800.29085.507370.889017@guru.mired.org> Date: Tue, 26 Sep 2000 04:51:25 -0500 (CDT) To: Matthew Emmerton Cc: questions@freebsd.org Subject: Re: tarpitting bad HTTP requests (WAS: RE: question) In-Reply-To: <13067279@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Matthew Emmerton writes: > [ crossposting to freebsd-net since this concerns TCP connection > limiting ] > On Mon, 25 Sep 2000, webmaster wrote: > > Well, thats just it. > > I'm thinking if I can slow down the attacks then have the > > perl program wite a redirect to the htaccess it will save > > resources. In other words, I have a random mix of proxy > > servers and script kiddies hitting this server. > > All of them are on very fast connections and sometimes > > will hit the server 30,000 times each before the software > > can redirect them. If I can find a way to slow the attacks > > the perl program can then execute and redirect without using > > up all these resources or generating thousands of logs. > > There are really two issues to this problem: > - - how to detect people who are flooding the server > - - how to handle those who are. > > If there is some type of distinct pattern of URLs that originate from a > single host, then that can be captured. However, I doubt this so the only > resort is to have some sort of threshold on the number of times a single > client can connect to the server during a specific timeframe. > > Although this could be implemented in the web server, there are problems: Well, thttpd (it's in the ports tree) implements URL-based throttling. If that's the problem, it's probably worth a look. > - - the information on clients would have to be shared across all server > instances, as people hammering the server will most likely have requested > processed by all instances I don't believe thttpd has this problem. > Does anyone know of a way to control TCP flooding for servers that don't > run from inetd and serve multiple client requests from one instance? Use a server that only has one instance, and deals with multiple outstanding requests via select/poll/kevent. That's mechanism provides better performance than multiple server instances anyway.