Date: Tue, 22 Aug 2000 11:51:24 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Kris Kennaway <kris@FreeBSD.ORG>, Noor Dawod <noor@comrax.com> Cc: Domas Mituzas <midom@dammit.lt>, freebsd-stable@FreeBSD.ORG Subject: RE: DoS attacks and FreeBSD. Message-ID: <4.3.2.20000822113358.00b86ac0@207.227.119.2> In-Reply-To: <Pine.BSF.4.21.0008220156510.92211-100000@freefall.freebsd. org> References: <PHEBIOJOBJJLIIJCOINKEEFACHAA.noor@comrax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:58 AM 8/22/00 -0700, Kris Kennaway wrote: >On Tue, 22 Aug 2000, Noor Dawod wrote: > > > Yes, it can, and I've alreaedy done just that. But then again, all other > > legitimate visitors will be locked out... > >Depends how smart the rate-limiting is. If it's at the application level >you know the connection (probably) isn't spoofed, which means you can >rate-limit per IP. In "Apache Modules with Perl and C" there is an example. It goes a bit further than IP by concatenating the IP with the user agent, which won't work if all the users behind a firewall/proxy have the exact same agent name, but then some hackery could be done for an exemption list. There are several variations or combinations that could be used. However, the example used might be better written in C for busy sites, which also avoid the memory overhead of using perl. There is still the problem of making a connection and sitting idle to tie up a process. The timeout could be reduced, but there might be problems for those with slow connections. Suffice to say there are always compromises, but with little work one can block most malicious spiders, etc with a combination of access controls. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20000822113358.00b86ac0>