From owner-freebsd-questions Mon Sep 9 12: 9: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55D5137B400 for ; Mon, 9 Sep 2002 12:09:03 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id F038C43E65 for ; Mon, 9 Sep 2002 12:09:01 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk ([IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id g89J90Uc013340; Mon, 9 Sep 2002 20:09:00 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id g89J8s5q013339; Mon, 9 Sep 2002 20:08:54 +0100 (BST) Date: Mon, 9 Sep 2002 20:08:54 +0100 From: Matthew Seaman To: Kim Scarborough Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Content-based web filtering? Message-ID: <20020909190854.GA12956@happy-idiot-talk.infracaninophi> References: <029901c25827$ac4977e0$23638780@uchicago.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <029901c25827$ac4977e0$23638780@uchicago.edu> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Sep 09, 2002 at 12:38:13PM -0500, Kim Scarborough wrote: > In the past, I've blocked the DOS attacks by simply IPFW-ing out the > offending host, but with this attack there are hundreds of > hosts. What is constant, however, are the user agent and file > request strings; they are always the same. So if there was some way > to filter based on that, I'd be safe (at least for now). But IPFW > can't do that, right? So I'd need to either find a firewall that > will, or maybe put a small proxy server to intercept these requests > and let everything else through to Apache. Take a look at http://httpd.apache.org/docs/misc/rewriteguide.html, particularly the section on "Access Restriction". You should be able to use mod_rewrite to drop the denial-of-service stuff in pretty short order. This isn't an ideal solution, since your server still has to deal with the malicious requests, but it should significantly increase the rate at which it can do that. > Does anybody have any thoughts on how to deal with this? If you > think one of the two solutions above is the way to go, any software > recommendations? Does anyone have another idea altogether? I'm kinda > stumped here, and the way I'm dealing with it at the moment is to > shut down the targeted site, which of course is unacceptable. A better solution is to use a reverse proxy between your webserver(s) and the net. The proxy should be configured to drop the offending requests and pass on legitimate requests to the regular server. The problem with this is that you just tend to make the proxy server into the target for DoS. You can use apache to do the reverse proxy job, but you're probably better of using something like squid, which is expressly designed for the task of web proxying. Probably the best strategy is to use a Network Intrusion Detection System --- snort (http://www.snort.org/) is a good example. These links has some aposite details: http://www.snort.org/docs/FreeBSD46RELEASE-Snort-MySQLVer1-2.pdf http://www.snort.org/docs/idspaper/ Snort is ideal for detecting and monitoring DoS attempts --- you're probably going to have to write some custom rules to pick out the traffic from your particular tormentor --- but the trick here is to integrate it with some sort of countermeasure like automatically adding firewall rules to block traffic from offending sites. Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message