It was thus said that the Great Maxim Vexler once stated:
>
> > > What can be done to stop the "attack" ?
> > >
> > It's pretty easy to stop this under Linux (this may work under other Unix
> > flavors if you adjust the command accordingly), by doing, as root:
> > #GenericRootUnixPrompt> route add -host <ip.address.of.attacker> reject
> > This will cause Linux to ignore any packets from the given IP address (if it
> > doesn't work, try "route add <ip.address> netmask 255.255.255.255 reject").
> > -spc
>
> Sean, thank you for the quick replay.
> Don't you think that a complete block on the client's IP is a too rush tactic?
> It's a legitimate user, his only fault was that he used this spidering
> tool, which had the side effect of DoS on the httpd daemon, I honestly
> don't think the client meant this to occur.
It depends upon who you talk to; some admins I know would consider that
being too leinient. But as a stop-gag measure to keep your server up it's
not that bad, and you can always remove the block just as easily ("route del
<ip.address> reject") once it's been resolved).
> I would like to note that I'm looking for some kind of automatic tool
> to fight this.
> Maybe a mod for Apache that could reject the client at the httpd
> daemon level on a time based period? the logic behind this is that
> this machine is not frequently monitored and I would prefer some kind
> of automatic solution.
I know of some people that have a process monitoring the log files and if
something hits too fast (or hits something it shouldn't hit) the log
monitoring process will block the IP address, either by adding it to the
Apache configuration or by the method I described. I know such programs
exist, but I've never used them so I can't help you there.
-spc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
