From owner-freebsd-stable  Tue Aug 22  9:54:11 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from peak.mountin.net (peak.mountin.net [207.227.119.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id CEEE337B424; Tue, 22 Aug 2000 09:54:03 -0700 (PDT)
Received: (from daemon@localhost)
	by peak.mountin.net (8.9.1/8.9.1) id LAA04821;
	Tue, 22 Aug 2000 11:54:02 -0500 (CDT)
	(envelope-from jeff-ml@mountin.net)
Received: from dial-103.max1.wa.cyberlynk.net(207.227.118.103) by peak.mountin.net via smap (V1.3)
	id sma004819; Tue Aug 22 11:53:48 2000
Message-Id: <4.3.2.20000822113358.00b86ac0@207.227.119.2>
X-Sender: jeff-ml@207.227.119.2
X-Mailer: QUALCOMM Windows Eudora Version 4.3
Date: Tue, 22 Aug 2000 11:51:24 -0500
To: Kris Kennaway <kris@FreeBSD.ORG>, Noor Dawod <noor@comrax.com>
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: RE: DoS attacks and FreeBSD.
Cc: Domas Mituzas <midom@dammit.lt>, freebsd-stable@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.21.0008220156510.92211-100000@freefall.freebsd.
 org>
References: <PHEBIOJOBJJLIIJCOINKEEFACHAA.noor@comrax.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 01:58 AM 8/22/00 -0700, Kris Kennaway wrote:
>On Tue, 22 Aug 2000, Noor Dawod wrote:
>
> > Yes, it can, and I've alreaedy done just that. But then again, all other
> > legitimate visitors will be locked out...
>
>Depends how smart the rate-limiting is. If it's at the application level
>you know the connection (probably) isn't spoofed, which means you can
>rate-limit per IP.

In "Apache Modules with Perl and C" there is an example.  It goes a bit 
further than IP by concatenating the IP with the user agent, which won't 
work if all the users behind a firewall/proxy have the exact same agent 
name, but then some hackery could be done for an exemption list.  There are 
several variations or combinations that could be used.  However, the 
example used might be better written in C for busy sites, which also avoid 
the memory overhead of using perl.

There is still the problem of making a connection and sitting idle to tie 
up a process.  The timeout could be reduced, but there might be problems 
for those with slow connections.  Suffice to say there are always 
compromises, but with little work one can block most malicious spiders, etc 
with a combination of access controls.


Jeff Mountin - jeff@mountin.net
Systems/Network Administrator
FreeBSD - the power to serve



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message