Firewall (iptables) rule to limit Apache connections
Kevin D. Clark
kevin_d_clark at comcast.net
Wed May 19 09:26:06 EDT 2010
Greg Rundlett (freephile) writes:
> Occasionally we'll get a bunch of web requests from a single source (example
> user agent of HTTrack or Opera or IE5 will all give a user the ability to
> make a huge number of web requests). This ties up our Apache server as all
> available workers are sending responses (and might be waiting on the
> client-side connection speed as well). "Ties up" as in DoS -- nobody else
> can get to the website.
[...]
> There are some (bandwidth-related) Apache modules that seem to touch on this
> problem domain. For example mod_cband, mod_bw, mod_qos or limitipconn but
> only mod_cband appears to be applicable to my environment and reasonably
> maintained.
>
> I was more interested in an iptables rule that I could dynamically create
> (perhaps tying into portsentry) or else a squid solution because it would be
> more future proof as we plan to update the hosting environment shortly.
> What solution have you used?
I'd recommend that you go with mod_cband. I feel that it is likely
that the hosted environment that you are planning on migrating to in
the future will already have support for this module as well.
Have you given any consideration to the fact that in HTTP 1.1 there
are persistent connections and that the level of control offered to
you by iptables might be too low-level for you to effectively manage
the traffic that your system is dealing with?
Hope this helps,
--kevin
--
alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/
GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E
Wipe him down with gasoline 'til his arms are hard and mean
From now on boys this iron boat's your home
So heave away, boys.
-- Tom Waits
More information about the gnhlug-discuss
mailing list