DoS protection strategies

Roberto Nibali ratz at drugphish.ch
Tue Apr 18 19:41:18 BST 2006 

Hello,

> To my surprise, opening 150 tcp connections to a default apache
> installation is enough to effectively DoS it for a few minutes (until
> connections time out).

What is your exact setup?

Only on a really badly configured web server or maybe a 486 machine :). 
Otherwise this does not hold. Every web server will handle at least 1000 
concurrent TCP connections easily. After that you need some ulimit or 
epoll tweaking.

> This could be circumvented by using
> mod_throttle, mod_bwshare or mod_limitipconn but imho a much better

Nope, you then just open a HTTP 1.1 channel and reload using GET / every 
MaxKeepAliveTimeout-1. Those modules will not help much IMHO. They only 
do QoS on established sockets. It's the wrong place to interfere.

> place to solve this is at the LVS loadbalancer. Which already does
> source IP tracking for the "persistency" feature.

Does not help either, it's not a Layer 4 issue, it's a higher layer 
issue. Even if it wasn't, how would source IP tracking ever help?

> Did anyone implement such a feature? Considerations?

Check out HTTP 1.1 & pipelining. Read up on the timing configurations 
and so on.

> A sample script to test your webhosting provider:
> 
> #!/usr/bin/perl
> my $target = shift or die "Usage: $0 <target>\n";
> use IO::Socket::INET;
> for my $t (0..300) {
>   print "Try $t... ";
>   $cons[$t] = IO::Socket::INET->new( PeerAddr => "$target:80", Proto
> => 'tcp', Blocking => 1 )
>   or die "Couldn't connect!";
>         print "connected!\n";
> }
> print "Enter to drop connections...\n";
> <STDIN>;

Besides that only poorly-configured web servers will allow you to hold a 
socket after a simple TCP handshake without sending any data, you get a 
close on the socket for HTTP 1.1 configured web servers with low timeouts.

You are right however, in that using such an approach of blocking TCP 
connections (_inluding_ data fetching) can tear down a lot of (even very 
well known) web sites. I've actually started writing a paper on this 
last year, however never finished it. I wrote a proof-of-concept tool 
that would (after some scanning and timeout guessing) block a whole web 
site, if not properly configured. This was done using the CURL library. 
It simulates some sort of slow-start slashdot-effect.

Best regards,
Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

More information about the lvs-users mailing list