[ISN] Evading DoS Attacks Against Apache

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 00:09:35 PST

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Data Protection and Disaster Recovery Tips

Recent Lessons in Disaster Recovery

Filtering the Spectrum of Internet Threats

=== CONTENTS ===================================================

IN FOCUS: Evading DoS Attacks Against Apache

   - DNS Root Servers Fell Under Brief Attack
   - Skype Teams with Symantec and FaceTime to Offer Security Tools
   - New Direction, Product for Check Point
   - Recent Security Vulnerabilities

   - Security Matters Blog: Root Access Through a User-Installed MySQL 
Back Door
   - FAQ: Managing Group Policy for Vista
   - Share Your Security Tips

   - Data Auditing Solution Adds Content Scanning
   - Wanted: Your Reviews of Products 




=== SPONSOR: CA ================================================

Data Protection and Disaster Recovery Tips
   Discover a wealth of information about how to protect and secure 
your data in the event of a disaster. You may not be able to predict 
the exact details of a disaster, but you can be prepared with a solid 
response for when one strikes. Disaster can strike anywhere--not just 
where severe weather can hit--so make sure you're ready when it does. 
Download your free copy of this eBook today!

=== IN FOCUS: Evading DoS Attacks Against Apache ===============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I began working with mod_evasive, a Web-based security tool 
that helps defend Apache HTTP Server against Denial of Service (DoS) 
attacks. Mod_evasive is a typical loadable module that looks for 
particular behavior and then blocks it. 

Mod_evasive is similar to Suhosin, which I wrote about back in December 
(at the URL below). You might remember that Suhosin is a patch for the 
PHP scripting engine that makes it far more secure. It helps detect and 
prevent all sorts of potentially bad Web-based content from reaching 
your systems and network beyond the PHP engine.

The way mod_evasive works is to keep track of IP addresses that send 
URL requests to your Apache server, where it then gauges whether the 
request rates from any given IP address exceed your acceptable 
predefined limits. If the limits are exceeded, then the IP address is 
temporarily blocked from making any more requests. 

Like many other Apache modules, mod_evasive allows the administrator to 
set various parameters that control module behavior. For example, you 
can set the maximum number of pages that one IP address can request 
from your entire site (DOSSiteCount) within a specified time period 
(DOSPageInterval), the maximum number of page reloads one IP address 
can request(DOSPageCount) within a specified time period 
(DOSPageInterval), and the period of time to block the requesting IP 
address if it exceeds the limits (DOSBlockingPeriod). 

To help clarify, here's an example. If you set DOSSiteCount to 100, 
DOSPageCount to 3, DOSPageInterval to 2, and DOSBlockingPeriod to 10, 
then mod_evasive will work like this: If an IP address requests more 
than 100 different pages or reloads the same page more than three times 
in two seconds, that IP address will be blocked for 10 seconds. 

There are a few other parameters you can configure too. You can set the 
size of the hash table mod_evasive uses to track IP addresses. The 
larger the hash table, the more IP addresses it can keep track of. You 
can also define an email address that will receive a short notice any 
time an IP address is blocked. And you can set a logging directory that 
records the IP addresses about which you've received email messages. 
Mod_evasive uses the log to keep from sending you numerous messages 
about the same IP address. 

Overall mod_evasive seems like a reasonable addition to Apache. It will 
in fact help fend off some intruders. However, if you aren't careful 
about the settings, it might block relatively innocent users whose 
browsers or proxy servers perform aggressive preloading of Web pages--
typically used to enhance the browsing experience and speed up overall 
browsing. So be careful configuring the settings and be sure to monitor 
the email mod_evasive sends (if you use that feature) to determine 
whether you've configured it to be too restrictive. 

Mod_evasive is available from the developer, Jonathan A. Zdziarski, in 
source code format (at the URL below), so you must compile it by using 
Apache's apxs tool (see the readme file for details). That typically 
isn't a problem for Linux administrators; however it might present a 
problem for Windows users, who might not have apxs or other required 

You can get apxs for Windows at Apache Lounge, at the URL below, 
provided as a Perl script. Be aware that you'll need some Apache-
related libraries to use it, so when you install Apache on Windows you 
need to choose the custom install and select "Build Headers and 
Libraries" as part of your installation. Make sure the libraries are 
located in the lib subdirectory of your Apache installation directory 
before using the apxs tool. 

Or, to simplify matters, you can get a precompiled copy of mod_evasive 
for Windows, including source code, at the URL below. 

Finally, keep in mind that while mod_evasive is effective at protecting 
Apache against DoS attacks, it's not a cure-all. Attackers could still 
saturate your bandwidth or overload your Web server's CPU. So keep that 
in mind and take other measures, if you can, to prevent those 
possibilities from becoming reality. 

=== SPONSOR: Neverfail =========================================

Recent Lessons in Disaster Recovery
   In today's IT world disaster recovery is more important than ever. 
This white paper looks at disaster recovery and what it means for your 
organization as well as identifies some of the approaches that work the 
best. Download now! 

=== SECURITY NEWS AND FEATURES =================================

DNS Root Servers Fell Under Brief Attack
   On February 6, some of the root DNS servers that provide the 
backbone for the Internet's global domain name system fell under 

Skype Teams with Symantec and FaceTime to Offer Security Tools
   Skype will offer Symantec's Norton tools to its base of small 
business and home office users. FaceTime will work with Skype's 
business users to provide end-to-end security within the enterprise.

New Direction, Product for Check Point
   Check Point Software Technologies is moving into the data security 
market and enhancing its core network security product line after its 
recent acquisitions of Protect Data (which owns Pointsec) and NFR 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: St. Bernard Software ==============================

Filtering the Spectrum of Internet Threats
   Examine the threats of allowing unwanted or offensive content into 
your network and learn about the technologies and methodologies to 
defend against inappropriate content, spyware, IM, and P2P. Download 
this free white paper now!

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Root Access Through a User-Installed MySQL Back Door
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4A4E1:57B62BBB09A692794697634C744D5ADC

Did you know that someone can gain root shell access (or system-level 
access in Windows) through quirks in the load_file feature of MySQL? 
Hopefully you've locked down your system to prevent that.

FAQ: Group Policy for Windows Vista
   by John Savill, http://list.windowsitpro.com/t?ctl=4A4DE:57B62BBB09A692794697634C744D5ADC 

Q: How can I manage Group Policy for Windows Vista machines?

Find the answer at

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Data Auditing Solution Adds Content Scanning
   Tizor Systems claims that its new 5.0 release of Mantra is the first 
data auditing and protection solution to feature content scanning 
capabilities, which let enterprises discover, monitor, and report on 
the activity of specific types of data (such as credit card and Social 
Security numbers) in databases and file systems and on mainframes. 
Other new functionality in Mantra 5.0 lets enterprises track all 
database changes and reconcile them with authorized change control 
tickets and better enforce segregation of duties through roles. Mantra 
5.0 also offers enhanced support for Microsoft SQL Server, including NT 
LAN Manager (NTLM) authentication and named pipes support, and better 
network monitoring of Distributed Relational Database Architecture 
(DRDA) mainframes. Mantra 5.0 will be available first quarter 2007. For 
more information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Learn how to use consolidation and selected technology updates to build 
an infrastructure that handles change effectively. 

A secure mail and messaging infrastructure is fundamental to your 
business, and every organization should plan for the appropriate 
message hygiene, availability, and control services from the start. 
This eBook introduces three fundamental mail and messaging management 
services--security, availability, and control services--and explains 
how you can implement them in a Microsoft-centric email and messaging 
environment. Download now! 

Are you planning to deploy or increase your use of Group Policy? Attend 
this free Web seminar and learn how to design a solid deployment plan, 
get tips on the best ways to set up delegation, discover the importance 
of good Group Policy change control, and learn how to optimize 
processing performance. Live event: February 28, 2007 at 12:00 PM EST. 

=== FEATURED WHITE PAPER =======================================

Devote your time, energy, and resources to serving your customers, not 
your servers. Want to focus on high-value activities instead of 
applying OS patches and updates, dealing with security vulnerabilities, 
and managing disk drives? Download this free white paper now and find 
out how you can have a business-class Web hosting solution with secure 
application pooling to protect your data. 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Exchange and Outlook Resource 
   Exchange & Outlook Pro VIP is an online information center that 
delivers new articles every week on topics such as administration, 
migration, security, and performance. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting March nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4A4E4:57B62BBB09A692794697634C744D5ADC
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 00:20:33 PST