How to Stop a Denial of Service on a web server

The basic principle is to identify where the requests are coming from (IP address) and updated the apache config to deny connections from that IP.

Update We're now running limitipcon module to automatically limit simulataneous connections from a single IP, so the following should be less likely.

For now this is just a repost of what I sent to the list:

Beezer ran out of memory over lunch. The oom killer zapped something important which meant I couldn't log into it (even as root on the console).

Sending it a Break-Kill let me log in as root and then reboot. From the serial console:

CTRL-] CTRL-] l 0 i      # That's "elle-zero-eye"

Some of the vision groups pages were/are being swamped by 219.143.205.101 I've denied him access by adding:

RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^219.143.205.101$
RewriteRule ^.* - [forbidden]
to the beezer:/disk/beezer1/httpd/conf/groups.conf file. (Note that beezer is the new stoater for just now). The above is a better way of denying that IP, rather than the previous:

<location /vision/CAVIAR/CAVIARDATA1 >
  order allow,deny
  Deny from 219.143.205.101
</location>

As if you are not denied, then you are allowed (duh!), but that allow overrides any other sort of denies that may be in .htaccess files or <directory> directives that were protecting that area. ie you could be opening up access to more than was originally configured. So that deny isn't "also deny" it is "forget all existing allow/deny and only deny connections from that IP everyone else gets in".

-- NeilBrown - 18 Mar 2010

Topic revision: r2 - 05 Aug 2011 - 14:29:21 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies