[Dshield] Help With CGI Abuse - Please

Josh Tolley josh at raintreeinc.com
Fri Aug 19 20:51:36 GMT 2005

David Cary Hart wrote:
> On Fri, 2005-08-19 at 14:37 -0400, Johannes B. Ullrich wrote:
>>David Cary Hart wrote:
>>>Does anyone know how to get Apache 2 to limit $x requests per client
>>>within $y seconds? I want to provide REASONABLE script access to our
>>>Multi-RBL checker but every once in awhile I see that we are getting
>>>hammered - particularly since we added country of origin to the script.
>>>I'd really hate to go to a captcha.
>>This bandwidth module may help:
> I also thought about mod_throttle (which is now deprecated). The problem
> with BW is that it is geared to bandwidth allocating rather than
> connects.
> I'm going to hack something together with the swatch daemon - perhaps.

If you're running it on an OpenBSD or Linux box, pf or iptables will let 
you throttle incoming connections the way you're looking to do it. This 
came up on NANOG the other day as well; I'm not much of an iptables 
person but another poster said the following would do it:

/sbin/iptables -N HTTP
/sbin/iptables -A HTTP -i eth0 -m limit --limit 10 --limit-burst 1 -j ACCEPT
/sbin/iptables -A HTTP -i eth0 -j DROP

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 80 -j HTTP

I'm more of an OpenBSD afficionado myself, and the max-src-conn and 
max-src-conn-rate options should do what you want, in that case. Most 
decent firewalls, it seems, should allow you to control this sort of 
thing before it gets to your web server if you can't control it at the 
server itself.

Josh Tolley
Raintree Systems, Inc.
Office Phone: (801) 293-3090
Corporate Office: (800) 333-1033

More information about the list mailing list