Attached is my first attempt to see how difficult it would be to write an anti-DoS patch for Apache (I did a few searches and didn't see one that already existed). The enclosed files modify mod_access.c (Apache 1.3.26) so that each listener keeps an internal table of ip addresses and urls requested; no listener should service more than 1 or 2 requests for the same page by the same ip address without spitting out a 403. It doesn't seem to use much memory at all, but I suspect on heavily loaded systems it may use more. After some testing, it was apparent this didn't seem to interfere with valid user traffic at all (even if the user refreshed quickly), but was very successful at beating down a script attack. Since this works on a per-listener basis, it automatically purges itself when the listener recycles. Each listener keeps its own record, so while it may not reject the first 10 or 20 requests, in the event of a real DoS (e.g. several hundred requests), it appears works quite well. Anyway, I'd be interested in any feedback about this; if it's useful and there's not something like it already, I'd be glad to write it into a "real" apache module rather than hacking mod_access up. Instructions: Configure first...then extract into src/modules/standard. This will replace mod_access.c and extract npt.h, npt.c, and Makefile.patch. The npt files are some basic dynamic hash array functions and the Makefile.patch should be applied to add npt.o to the OBJS in the Makefile. If you have a heavily loaded web server, you may consider increasing the hash table size (search for 'npt_create' in mod_access.c) Let me know if this is useful to anyone.
This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 21:33:13 PST