Re: Re: HTTPD Dos

David Fletcher wrote:
> 
> On Fri, 12 Nov 2004 20:23:12 -0800
> mod-security-users-request <at> lists.sourceforge.net wrote:
> 
> 
>>Subject: [mod-security-users] HTTPD Dos
>>
>>Hello there,
>>
>>One of our servers is being ddossed (httpd based), 100ths of clients are
>>trying to download 1 certain file. My question, is it possible
>>to filter on the download and put the the ip in an iptables rule?
>>
>>Regards,
>>Gerwin
> 
> 
> Hi,
> 
> I have been getting attacks with over 1000 per second requests like this:
> 
> default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS /
> HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-)
> 
> They seem to have stopped before I did anything about them, but I was
> looking at mod_dosevasive available here:
> 
> http://www.nuclearelephant.com/projects/dosevasive/
> 
> It doesn't look like its been developed in over a year (perhaps it doesn't
> need it?) but it might be useful. I wonder if there is any case for
> integrating it with mod_security?
> 
> Another approach in this case will be just to block OPTIONS requests, but
> other DOS attacks might not use this request method.
> 
> David.
> 

That could prove to be a very useful addition to the mod_security 
codebase. I currently use it but, due to the incompatibility with 
frontpage I can't use it on all servers.

If possible, I would definately like to see it added.

Zach

-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8