Ivan Barrera A. wrote: [..cut..]
>> >> >>So run the mod_status data and count connections per IP address. This >>will be way more reliable than any network-performance criteria, IMHO. >> There is already a module for this called mod_limitipcon. I did some improvements to it for myself and it works now nice. Of course it has its architectural drawbacks: 1. It does not work on distributed attacks. 2. Malicious users behind a proxy can lock out all other users behind this proxy. 3. It must be configured carefully on big sites to avoid locking out legitimate users. > > > And then, just make the DoS distributed. You can fill the connections > again, without being the same, and taking forever to release a child. > > Anyways, we can keep discussing that forever. > (And this is in the most polite way), my question wasn't about the > better way of detecting a DoS... i just want to know where should i put > a timeout cheking code. If it is possible to use a kind of filter, or > just major tweaking of apache source is needed. I know that you hate further tips on doing this differently, but I would propose to simply lower the value of Timeout and KeepAliveTimeout to 3 seconds. Even if it would be possible to write a filter which does this job (which I doubt) you would have to define some kind of "Timeout" after that you regard a connection as malicious. But from a quick view in the code I assume that you would need to improve the logging in cases of HTTP_REQUEST_TIME_OUT and aborted connections such that you can use it for your firewall to lock out these IP's. [..cut..] Regards R�diger
