Home / server / Questions / 249886
Accepted
Will
Asked: 2011-03-22 06:58:26 +0800 CST

Mitigating an http flood? [duplicate]

  • 772

I have a ddos protection proxy in place to deal with SYN floods and such. But http floods are still getting through. For some reason their ddos proxy is not blocking any of the flood. So there are about 500 ips connecting to the box as many times as possible and max out at about 20k connections. This is causing php to spawn 1k processes overloading the box. How can I mitigate this http flood? I thought setting up an htaccess file which required a cookie to access the site would work but rewritecond seems to be invoking php which causes the box to overload.

How can I mitigate this?

ddos litespeed

4 Answers

  1. In a situation like yours the best thing to do is to rate- and/or IP- limit connections to your server (either at your DDoS protection proxy -- if it's worth anything it will be capable of doing this -- or on your server using whatever firewall software is available (pf, iptables, etc.)).

    You goal is to stop the attacks before they hit your server using a separate firewall or your DDoS protection proxy (computationally free) or as early as possible - like during the TCP handshake process - on your server (computationally cheap) rather than trying to deal with it in the web server/application layer (computationally expensive: You had to set up the whole TCP connection and start talking to the web server before realizing you don't want to respond to this particular request).

    • 3
  2. Best Answer

    You're on the right track with the cookie-based approach, but the initial check needs to be done using a process a lot cheaper than an Apache/PHP thread. I suggest an nginx proxy in front of your web host that forces redirecting and setting a cookie. Than only requests bearing the appropriate cookie are even allowed through to your PHP host.

    And as long as you're setting up a proxy, this relatively new piece of bot-detection software is pretty impressive:

    http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html

    I also highly suggest the DDoS presentation linked to from that page:

    http://www.ecl-labs.org/papers/yg-ab-building_floodgates.pptx

    It covers anti-DDoS concepts overall and describes why they wrote Roboo.

    • 2

  3. We managed to mitigate this attack with a htaccess rule 

    RewriteEngine On

SetEnvIf User-Agent ".*MSIE 6.0; Windows NT 5.1; SV1.*" dontlog
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$" [OR]
RewriteCond %{HTTP_USER_AGENT} "^(?:User-Agent: )?Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1;(?: SV1|1813)\)$" [OR] 
RewriteCond %{HTTP_USER_AGENT} "MSIE 6.0; Windows NT 5.1; SV1"
RewriteRule ^(.*)$ http://127.0.0.1/$1 [R=302,L]

    and or iptables

    iptables -I INPUT 1 -p tcp --dport 80 -m string --string "MSIE 6.0; Windows NT 5.1; SV1" --algo bm -j DROP

    you might want to add multiple ports to iptables

    • 0

  4. I'd add to Voretak's reply that you should want to try the "LIMIT" target in iptables.

    Taken from: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

    Example: Limit SSH Connections Per IP / Host Only allow 3 ssg connections per client host:

    /sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# save the changes see iptables-save man page, the following is redhat and friends
# specific command
service iptables save
    • 0