WiiRd forum

Main Forums => Forum Announcements => Topic started by: Link on November 29, 2010, 08:22:27 AM

Title: Downtimes
Post by: Link on November 29, 2010, 08:22:27 AM
Well, on a positive note: since the move back to the old provider, the downtimes have drastically reduced again. Technically they were even 0 - however, I admit the fact I am having some troubles with server performance right now.. sometimes the server appears offline due to the fact it seems to overload.. logs so far never really suggested a DoS attack. This morning it happened again:

Server not reachable via HTTP.. but replied to pings fine.. so well.. logging in from outside via SSH (SSH has a high nice level so that login is always possible). Well, 5 mintues later i was in - just to see that Apache seemed to have been DoSed.. after an Apache restart it was up and running again. Right now I configured a mod_security setup which should prevent DoS attacks.

Does anyone of you out there have good ideas on additional DoS preventions (and no, mod_evasion is NOT an option, this server is also used by professional photograph who is showing off galleries - evasion technically checks if too many connections come in from one IP and blocks the IP for a certain amount of time.. gallery systems however do not work with evasion!)?

Title: Re: Downtimes
Post by: James0x57 on November 29, 2010, 10:40:47 PM
I asked a server admin here at work all he said was:
"hmm.. for apache? not completely sure.. since we do most of our filtering at our load balancer. Anything that does rate limiting should prevent a DDOS on your backend"

Which maybe is not helpful to you but I don't know anything about it so I can't assume that info is useless..

Title: Re: Downtimes
Post by: Link on December 01, 2010, 09:00:00 AM
So well.. I hope it is done by now.

A: Package filter:
1) Filtering so far has a usual SYN package filter (too many SYN requests in a short amount of time whose ACKs are not acked (meaning server opens a socket but the socket is not used) will result in a 3 minute iptables ban (no access to any server ressource at all).
2) ICMP requests (PING) currently allowed

B: For Apache:
1) multiple requests on the exact same URI at the same time will result in 403 errors,
2) multiple GET requests in general on addresses will also (only the limit of allowed requests is higher),
3) too many GET requests on non-existing pages (DoS attacking applications sending just GET requests randomly) also 403 (even less requests allowed than option 1)
4) too many POST requests per second (very low limit!)
5) unauthorized PUT requests

Apache behaviour is simple: get blocked because one of the reasons once and you get a 5 second ban and all requests end up in 403. Manage to get 10 blocks in 1 hour will give you a 15 minute ban. Let's see how well this ends up defeating packages :P .