Hello,
how about to give iptables with hashlimit a try, i already used it with sucess to prevent from botnet ddos attacks against webservers. something like
iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -m hashlimit --hashlimit 25/s --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name HTTP -j ACCEPT
iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -m limit --limit 1/s --limit-burst 5 -j LOG --log-level $LOG_LEVEL --log-prefix "[HTTP_DROPPED_NEW] : "
iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -j DROP
iptables -t filter -A INETIN -p tcp -s 0/0 --dport 80 -m state --state NEW -j ACCEPT
should fix it... of course set the hashlimit to parameters which your mirror can take.
Greetings
Juergen
Emil wrote:
--On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram" sriram@ae.iitm.ac.in wrote:
On Fri, 22 Jan 2010, Emil wrote:
I'm curious though as why you block them completely, instead of just have them put under some concurensy-limit.
The addresses are already under the concurrency limit as described in the original post. The netfilter kicks in when there is certain volume (requests per minute) EXCEEDING the concurrency limit. A human being exceeding the concurrency limit gets a HTTP 503 service unavailable message and will hopefully try again only after some time, when the concurrency limit is not being exceeded. Well, that is plan, anyway.
Still, the concurrency limit is within apache, right? What I meant was to put an (aditional) limit in netfilter instead of a "complete" block.
Should you only block new connections when the "ban" kicks in it wonät be too bad, and teh effect for the "visitor" should be very similar to a more gentle limit based approach. If however you put a block based only on the ip address existing connections will fail to complete, which obviously will cause them to have a valid reason to start again as soon a the ban is lifted.
Anyway, thanks for the tip on fail2ban, I may put that to use in other places!
Regards, Emil
CentOS-mirror mailing list CentOS-mirror@centos.org http://lists.centos.org/mailman/listinfo/centos-mirror