~Toughbooktalk~

We have been DOS attacked from a particular IP in Northern Africa. Thank GOD for good firewalls. The Firewall was fine but the server almost crashed.

I have added the rule to the firewall to deny this IP from hitting our server ever again.

Additionally I'm looking at how I can use the new firewall to auto-deny IP's PERMANENTLY in the future based on the amount of times it hits the server so it does it automatically so it will be PROACTIVE VS being reactive now. (Again, thank GOD for my good monitoring system)


Thanks!

Hi Rob,

this sounds like a case for rate limiting new connections per source ip.

bsd pf:
max-src-conn number
max-src-conn-rate number / interval
http://www.openbsd.org/faq/pf/filter.html#stateopts

linux iptables:
-m connlimit --connlimit-above number
http://www.cyberciti.biz/faq/iptables-c ... its-howto/

cisco:
set connection conn-max 5000 conn-rate-limit 500
http://www.cisco.com/c/en/us/td/docs/se ... tct_f.html

Be careful when setting this up and verify your rulesets with tools like apachebench.
Some browsers open one connection per url/file (image/css/js),
while others implement http pipelining and only require a single connection.

Also, I would advise against any automated+permanent IP blocks,
as an attacker could just use ip spoofing to make your firewall block your own ip ;-)

Cheers,
Karl

Hey Karl,

Unfortunately Rob is running apache over a Windows Server, so no pf or iptables goodness.

modlimitpconn might work for you, depending on the nature of the dos attack.
http://dominia.org/djao/limitipconn2.html

I have no experience with that module.