[Dshield] Help With CGI Abuse - Please

David Cary Hart DShield at TQMcube.com
Fri Aug 19 21:48:51 GMT 2005


On Fri, 2005-08-19 at 14:51 -0600, Josh Tolley wrote:
> David Cary Hart wrote:
> > On Fri, 2005-08-19 at 14:37 -0400, Johannes B. Ullrich wrote:
> > 
> >>David Cary Hart wrote:
> >>
> >>>Does anyone know how to get Apache 2 to limit $x requests per client
> >>>within $y seconds? I want to provide REASONABLE script access to our
> >>>Multi-RBL checker but every once in awhile I see that we are getting
> >>>hammered - particularly since we added country of origin to the script.
> >>>
> >>>I'd really hate to go to a captcha.
> >>
> >>This bandwidth module may help:
> >>http://www.ivn.cl/apache/
> > 
> > 
> > I also thought about mod_throttle (which is now deprecated). The problem
> > with BW is that it is geared to bandwidth allocating rather than
> > connects.
> > 
> > I'm going to hack something together with the swatch daemon - perhaps.
> 
> If you're running it on an OpenBSD or Linux box, pf or iptables will let 
> you throttle incoming connections the way you're looking to do it. This 
> came up on NANOG the other day as well; I'm not much of an iptables 
> person but another poster said the following would do it:
> 
> /sbin/iptables -N HTTP
> /sbin/iptables -A HTTP -i eth0 -m limit --limit 10 --limit-burst 1 -j ACCEPT
> /sbin/iptables -A HTTP -i eth0 -j DROP
> 
> /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 80 -j HTTP
> 
> I'm more of an OpenBSD afficionado myself, and the max-src-conn and 
> max-src-conn-rate options should do what you want, in that case. Most 
> decent firewalls, it seems, should allow you to control this sort of 
> thing before it gets to your web server if you can't control it at the 
> server itself.
> 
Outstanding idea. I need to review the module specifics.
-- 
Tired of spam? Do YOUR part: http://www.BoulderPledge.org
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com/spam_trap.htm
              RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
            Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm


More information about the list mailing list