Hi guys. I'm in the process of writing some custom server code that uses TCP sockets. This is totally unrelated to Apache and the HTTP protocol (but please read on, I'll get there). I have quite a bit of experience writing server code that communicates with UDP, but I've had relatively little experience with TCP. One of my big concerns whenever I write server code is the possibility of flooding the service with requests (DoS attack).
I started thinking about TCP and what would happen when a typical service such as httpd was flooded with many almost idle TCP connections. I happen to run a couple of dedicated server boxes in a data center that host a few amateur websites (amateur in the sense that it's a hobby and it is in no way making me a profit). I starting thinking about how Apache would handle a connection flood attack. So I wrote a computer program that tries to flood a service with TCP connections. The program does the following. It first determines what data to send to a server (array of bytes), and where to send it to (sendTo hostname and sendTo port). In my case for purposes of running this test, the data to send is specified as an HTTP request that I assembled by hand (well actually I intercepted an actual HTTP request and modified it slightly). Another parameter the program takes is now many simultaneous TCP connections to open to the sendTo host. The program creates that many threads, and each thread creates a socket to the sendTo host. Each thread starts sending the data at a very low speed. It sends some small number of bytes after random amounts of sleep/delay time, and keeps sending the data until all data is sent. It then reads socket input until the end of the input arrives (using "Connection: close" in my HTTP request). So what I did was run my program with 100 threads (100 simultaneous TCP connections) that connected to my Apache httpd server. The program sent a few hundered bytes worth of HTTP headers in each connection during a timespan of about one minute. The httpd server that I sent this data to is configured with "MaxClients 80", and it's using a pretty standard configuration that comes with apache22 from ports on FreeBSD. I believe it's using mpm_prefork_module because I get a separate process showing up in top for each request that is serviced (in my test case I got 80 or so processes showing up in top). So, when I run the 100 thread program against my max-80-clients server, and each of the 100 threads takes over one minute to send the complete HTTP request header, my Apache httpd server becomes unavailable to other incoming connections. In other words, it's a DoS attack originating from a single client host. I'm wondering what methods are preferred for preventing this sort of attack. I'm wondering this for two reasons: 1) I want to secure my websites and 2) I want to learn techniques that address this issue because I'm writing my own TCP-oriented server software. I have read this page: http://httpd.apache.org/docs/trunk/misc/security_tips.html It seems that the best suggestion learned there is to configure a system-wide firewall which limits the number of concurrent TCP connections from a single IP address to port 80. Is this indeed a good strategy to follow? If so, what is a good number of maximum TCP connections to allow concurrently from a single IP address to port 80? I know this depends on things such as my website, but I really just want to get a ballpark figure and reasons for that figure. I'm also wondering if there exist any other good strategies for dealing with a DoS attack as described above, coming from a single host. I do have the cband_module enabled for one of my virtual hosts. I'm using the cband module for a particular website to limit the number of concurrent connections from one IP address to 1. Because of this, it seems that I cannot place anything more than a simple HTML page on that virtual host (if I add images to a page for example, downloading them will fail). That's OK, because that particular website is only doing a very CPU-intensive number-crunching activity for clients that connect. I am hosting images that go on that page on a different virtual host that does not have cband activated. I noticed that the cband module takes effect at a rather higher level than just at the lowest level TCP connection. It does not work quite the way I would expect it to work (there are some race conditions which allow multiple CPU-crunching requests to be processed from the same IP address concurrently on my website). Your thoughts are very much appreciated. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
