Date: Thu, 2 Jun 2016 02:20:48 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Will Squire <will_squire@hotmail.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Can ipfw be used to limit concurrent requests from an IP? Message-ID: <20160601234946.C15883@sola.nimnet.asn.au> In-Reply-To: <BLU436-SMTP56BAE61D59C2AEC514B937DA460@phx.gbl> References: <mailman.97.1464436802.9180.freebsd-questions@freebsd.org> <20160528232515.Y15883@sola.nimnet.asn.au> <BLU436-SMTP56BAE61D59C2AEC514B937DA460@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 31 May 2016 19:28:59 +0100, Will Squire wrote: > > On 28 May 2016, at 15:27, Ian Smith <smithi@nimnet.asn.au> wrote: [..] > >> Can ipfw limit the number requests in a given amount of time from a > >> specific IP? > >> > >> To contextualise, if an IP sends requests in high concurrency (let's > >> say 50 a second) can ipfw either block requests the exceed a > >> threshold for that second (lets say the threshold is 20, 30 would be > >> blocked), or ban/deny the given IP for exceeding a threshold? > > you can use stateful rules with 'limit' instead of 'keep-state' to limit > Thanks for the reply Ian. I don˙˙t think limit would work due to HTTP˙˙s > ˙˙keep-alive˙˙ feature. I believe this means a connection would be kept open > (counting as one connection) and still open to heavy polling by the client. That's probably right, and your desire to define connection rate limits rates should have steered me away from suggesting 'limit'. inetd.conf is careful not to mention http, so that was a dumb sugdestion too :( > >> The aim is to lessen strain under DoS attacks, specifically for HTTP. > >> The system is using Apache and mod_evasive has been added and tested, > >> but it is not functioning correctly. >From what I've just dug up on a quick hunt, I think that's what you should get working. It looks very useful if it works as advertised. Running a command, more likely script, that invokes ipfw to add notified addresses (with a timestamp, possibly set to some future time ($now + $interval)?) to an ipfw table is easy; I have several scripts that deal with this. A cron script to periodically find and delete the expired entries is also straightforward. However ipfw must be run as root, so you'll need some signalling so a script run by www-user (ono) can inform a root shell process to run ipfw commands and return status to your script. Good fun .. with some care. > > I haven't used (nor heard of) mod_evasive so can't comment on that, but > > limiting the total number of connections open to a given service can > > certainly mitigate the effect of such DoS attacks. > > Again, I think keep-alive might cause issues here (but please do correct me if > wrong). Limiting connection to the HTTP service might also worsen the DoS to > users. Yes, I believe you're right. Even with the webserver returning 403s, it's still an access.log DoS .. so the firewall is the tool to block those deemed baddies, and mod_evasive looks like a good tool for the deeming job .. just some hits searching 'mod_evasive apache freebsd': https://project.altservice.com/issues/562 https://www.unixmen.com/protecting-apache-server-denial-service-dos-attack/ https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7 and of course https://www.freshports.org/www/mod_evasive/ [.. chomping tcpwrappers stuff ..] > I˙˙m not familiar with using TCPwrappers, Have seen another recommend > SSHGuard though (which I am using already). Can I do something similar > with that, or does/should it do this (add to ban table) automatically? Unsure > if SSHGuard needs any additional rules written for Apache. I haven't used SSHGuard. Perhaps if you share your mod_evasive config and a problem description, someone here may be able to help? If so, I can offer ipfw script ideas. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160601234946.C15883>