2

I have a ddos protection proxy in place to deal with SYN floods and such. But http floods are still getting through. For some reason their ddos proxy is not blocking any of the flood. So there are about 500 ips connecting to the box as many times as possible and max out at about 20k connections. This is causing php to spawn 1k processes overloading the box. How can I mitigate this http flood? I thought setting up an htaccess file which required a cookie to access the site would work but rewritecond seems to be invoking php which causes the box to overload.

How can I mitigate this?

Insyte
  • 9,314
  • 2
  • 27
  • 45
Will
  • 257
  • 4
  • 19

4 Answers4

3

In a situation like yours the best thing to do is to rate- and/or IP- limit connections to your server (either at your DDoS protection proxy -- if it's worth anything it will be capable of doing this -- or on your server using whatever firewall software is available (pf, iptables, etc.)).

You goal is to stop the attacks before they hit your server using a separate firewall or your DDoS protection proxy (computationally free) or as early as possible - like during the TCP handshake process - on your server (computationally cheap) rather than trying to deal with it in the web server/application layer (computationally expensive: You had to set up the whole TCP connection and start talking to the web server before realizing you don't want to respond to this particular request).

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 1
    I found a good solution when using Apache is mod_qos. There you can set parameters per client, like how many connections, and some other options. – derchris Mar 21 '11 at 15:30
  • Well I setup an http listener and I had it ban IPs that connected too many times without a cookie that was set via javascript and that worked nicely except it couldn't forward the connection to the server as it broke keep-alive and which ended up making it very slow. Is there a web server that uses something like htaccess that can proxy connections that doesn't use php? Cause my only problem right now is that litespeed htaccess is invoking php which is what is overloading. – Will Mar 21 '11 at 15:31
  • @derchris `mod_qos` is great, except it means the connection has to reach apache in order to be kicked out -- that said it's much less expensive computationally than a cookie-check :-) – voretaq7 Mar 21 '11 at 16:03
2

You're on the right track with the cookie-based approach, but the initial check needs to be done using a process a lot cheaper than an Apache/PHP thread. I suggest an nginx proxy in front of your web host that forces redirecting and setting a cookie. Than only requests bearing the appropriate cookie are even allowed through to your PHP host.

And as long as you're setting up a proxy, this relatively new piece of bot-detection software is pretty impressive:

http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html

I also highly suggest the DDoS presentation linked to from that page:

http://www.ecl-labs.org/papers/yg-ab-building_floodgates.pptx

It covers anti-DDoS concepts overall and describes why they wrote Roboo.

Insyte
  • 9,314
  • 2
  • 27
  • 45
  • Thanks for the links. So does nginx have something that can check if there is a cookie and if not redirect to an html page without invoking php? If not guess ill look into roboo. Thanks again. – Will Mar 21 '11 at 15:44
  • 1
    Well, the whole point is that you wouldn't even *install* PHP on the host running nginx. It would be acting as a proxy in front of your PHP server. And yeah, it can check for the presence of a cookie and respond appropriately. Check out the HttpRewriteModule: http://wiki.nginx.org/HttpRewriteModule – Insyte Mar 21 '11 at 16:08
  • Does nginx have a rewrite like [P] which proxies the connection? I want to have it proxy the connection to a filter program that is listening on another port that logs the number of failed cookie attempts and blocks the ips to reduce the number of connections to the box. – Will Mar 21 '11 at 16:18
  • nevermind, reading through the proxy module right now. – Will Mar 21 '11 at 16:41
0

We managed to mitigate this attack with a htaccess rule 

RewriteEngine On

SetEnvIf User-Agent ".*MSIE 6.0; Windows NT 5.1; SV1.*" dontlog
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$" [OR]
RewriteCond %{HTTP_USER_AGENT} "^(?:User-Agent: )?Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1;(?: SV1|1813)\)$" [OR] 
RewriteCond %{HTTP_USER_AGENT} "MSIE 6.0; Windows NT 5.1; SV1"
RewriteRule ^(.*)$ http://127.0.0.1/$1 [R=302,L]

and or iptables

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "MSIE 6.0; Windows NT 5.1; SV1" --algo bm -j DROP

you might want to add multiple ports to iptables

Benn
  • 111
  • 1
0

I'd add to Voretak's reply that you should want to try the "LIMIT" target in iptables.

Taken from: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

Example: Limit SSH Connections Per IP / Host Only allow 3 ssg connections per client host:

/sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# save the changes see iptables-save man page, the following is redhat and friends
# specific command
service iptables save
niglesias
  • 210
  • 1
  • 8