[OT] connection limitation

This is decidedly off-topic....

We run a pretty small website (multi-use) on Apache (2.2) and mod_perl
(along with some php, cgi, and static content). Unfortunately, our
organization has recently decided to institute the policy of scanning
the site on a regular basis for security reasons. The scan software
crawls all links and URLs on the site, hitting each one with multiple
forms of attack. In some parts of the world, this is called a
denial-of-service attack, but here it is called a security scan. I
have no control over the scan parameters, so I am looking for a
meaningful way of limiting the number of connections (not really
bandwidth, since we host VERY large static files) from a single IP.
Any suggestions?

Thanks,
Sean

Re: [OT] connection limitation

Sean Davis wrote:
> This is decidedly off-topic....
>
> We run a pretty small website (multi-use) on Apache (2.2) and mod_perl
> (along with some php, cgi, and static content). Unfortunately, our
> organization has recently decided to institute the policy of scanning
> the site on a regular basis for security reasons. The scan software
> crawls all links and URLs on the site, hitting each one with multiple
> forms of attack. In some parts of the world, this is called a
> denial-of-service attack, but here it is called a security scan. I
> have no control over the scan parameters, so I am looking for a
> meaningful way of limiting the number of connections (not really
> bandwidth, since we host VERY large static files) from a single IP.
> Any suggestions?

You could do this with mod_perl by using something like
Apache::Scoreboard - http://search.cpan.org/dist/Apache-Scoreboard

Check to see if the number of server side children are maxed out for a
given ip, and return a 503 if that is the case.


But if you are running Linux an alternative way to do this might be with
iptables and the iplimit module - http://linuxgazette.net/108/odonovan.html

HTH


>
> Thanks,
> Sean


--
Red Hot Penguin Consulting LLC
mod_perl/PostgreSQL consulting and implementation
http://www.redhotpenguin.com/

Re: [OT] connection limitation

On Wed, May 28, 2008 at 1:19 PM, Fred Moyer wrote:
> Sean Davis wrote:
>>
>> This is decidedly off-topic....
>>
>> We run a pretty small website (multi-use) on Apache (2.2) and mod_perl
>> (along with some php, cgi, and static content). Unfortunately, our
>> organization has recently decided to institute the policy of scanning
>> the site on a regular basis for security reasons. The scan software
>> crawls all links and URLs on the site, hitting each one with multiple
>> forms of attack. In some parts of the world, this is called a
>> denial-of-service attack, but here it is called a security scan. I
>> have no control over the scan parameters, so I am looking for a
>> meaningful way of limiting the number of connections (not really
>> bandwidth, since we host VERY large static files) from a single IP.
>> Any suggestions?
>
> You could do this with mod_perl by using something like Apache::Scoreboard -
> http://search.cpan.org/dist/Apache-Scoreboard
>
> Check to see if the number of server side children are maxed out for a given
> ip, and return a 503 if that is the case.

This sounds like a viable option, yes. It also allows lots of flexibility....

> But if you are running Linux an alternative way to do this might be with
> iptables and the iplimit module - http://linuxgazette.net/108/odonovan.html

I'm on macos, currently.

Thanks.

Re: [OT] connection limitation

On Wed, May 28, 2008 at 12:54 PM, Sean Davis wrote:
> I am looking for a
> meaningful way of limiting the number of connections (not really
> bandwidth, since we host VERY large static files) from a single IP.
> Any suggestions?

If you search for "bandwidth" on this page, it will show you many options:
http://modules.apache.org/search.php

I know you want to limit by connections rather than bandwidth, but
many of these modules will do either.

- Perrin

Re: [OT] connection limitation

On Wed, May 28, 2008 at 12:51 PM, Perrin Harkins wrote:
> On Wed, May 28, 2008 at 12:54 PM, Sean Davis wrote:
>> I am looking for a
>> meaningful way of limiting the number of connections (not really
>> bandwidth, since we host VERY large static files) from a single IP.
>> Any suggestions?


http://www.google.com/search?q=iptables+connection+limiting


--
"do it first and allow the implications of what has been done to
settle in." -- Moglen on practical revolution

Re: [OT] connection limitation

On Wed, May 28, 2008 at 1:50 PM, wrote:
>
> I found this when I ran into a simuilar situation although I have not yet
> had a chance to try it :
>
> http://bwmod.sourceforge.net/files/mod_bw-0.7.txt
>
> Looks like you can set max connections but not by ip.

Just to finalize, I ended up using:

http://www.ivn.cl/apache#bandwidth

This allows setting connection and bandwidth limits based on IP or
across a site. Worked like a charm (webserver load down from 20 to
2).

Sean

> "Sean Davis"
>
> 2008/05/28 11:34
>
> To
> "Fred Moyer"
> cc
> modperl
> Subject
> Re: [OT] connection limitation
>
>
>
> On Wed, May 28, 2008 at 1:19 PM, Fred Moyer wrote:
>> Sean Davis wrote:
>>>
>>> This is decidedly off-topic....
>>>
>>> We run a pretty small website (multi-use) on Apache (2.2) and mod_perl
>>> (along with some php, cgi, and static content). Unfortunately, our
>>> organization has recently decided to institute the policy of scanning
>>> the site on a regular basis for security reasons. The scan software
>>> crawls all links and URLs on the site, hitting each one with multiple
>>> forms of attack. In some parts of the world, this is called a
>>> denial-of-service attack, but here it is called a security scan. I
>>> have no control over the scan parameters, so I am looking for a
>>> meaningful way of limiting the number of connections (not really
>>> bandwidth, since we host VERY large static files) from a single IP.
>>> Any suggestions?
>>
>> You could do this with mod_perl by using something like Apache::Scoreboard
>> -
>> http://search.cpan.org/dist/Apache-Scoreboard
>>
>> Check to see if the number of server side children are maxed out for a
>> given
>> ip, and return a 503 if that is the case.
>
> This sounds like a viable option, yes. It also allows lots of
> flexibility....
>
>> But if you are running Linux an alternative way to do this might be with
>> iptables and the iplimit module -
>> http://linuxgazette.net/108/odonovan.html
>
> I'm on macos, currently.
>
> Thanks.
>