31 lines
1.7 KiB
Text
31 lines
1.7 KiB
Text
|
mod_dosevasive is an evasive maneuvers module for Apache to provide evasive
|
||
|
|
action in the event of an HTTP DoS or DDoS attack or brute force attack.
|
||
|
|
It is also designed to be a detection and network management tool, and can be
|
||
|
|
easily configured to talk to ipchains, firewalls, routers, and etcetera.
|
||
|
|
mod_dosevasive presently reports abuses via email and syslog facilities.
|
||
|
|
|
||
|
|
Detection is performed by creating an internal dynamic hash table of IP
|
||
|
|
Addresses and URIs, and denying any single IP address from any of the
|
||
|
|
following:
|
||
|
|
|
||
|
|
* Requesting the same page more than a few times per second
|
||
|
|
* Making more than 50 concurrent requests on the same child per second
|
||
|
|
* Making any requests while temporarily blacklisted (on a blocking list)
|
||
|
|
|
||
|
|
This method has worked well in both single-server script attacks as well as
|
||
|
|
distributed attacks, but just like other evasive tools, is only as useful to
|
||
|
|
the point of bandwidth and processor consumption (e.g. the amount of bandwidth
|
||
|
|
and processor required to receive/process/respond to invalid requests), which
|
||
|
|
is why it's a good idea to integrate this with your firewalls and routers for
|
||
|
|
maximum protection.
|
||
|
|
|
||
|
|
This module instantiates for each listener individually, and therefore has a
|
||
|
|
built-in cleanup mechanism and scaling capabilities. Because of this per-child
|
||
|
|
design, legitimate requests are never compromised (even from proxies and NAT
|
||
|
|
addresses) but only scripted attacks. Even a user repeatedly clicking on
|
||
|
|
'reload' should not be affected unless they do it maliciously. mod_dosevasive
|
||
|
|
is fully tweakable through the Apache configuration file, easy to incorporate
|
||
|
|
into your web server, and easy to use.
|
||
|
|
|
||
|
|
WWW: http://www.nuclearelephant.com/projects/dosevasive/
|