[NCLUG] http_tarpit using mod_python
Sean Reifschneider
jafo at tummy.com
Mon Mar 6 01:18:15 MST 2006
On Fri, Feb 24, 2006 at 04:10:37PM -0700, Stephen Warren wrote:
>client IPs when they perform an excessive number of transactions
>resulting in e.g. HTTP_UNAUTHORIZED.
It's an interesting idea. I think the use of tarpitting leads to leaving
it open for DoS attacking though. Since each connection takes up a slot in
Apache until the tarpit timer expires, other clients can't get serviced in
that time. You'd probably be better to just return some sort of a "too
many login failures" sort of page rather than tarpitting.
Would be nice if there were a way you could tell Apache to delay handling
the connection for some period of time, and just let it sit un-acked for
some seconds. Like in a firewall. You could at least add that remote IP
to a "hashlimit" iptables block so that they'd be severely limited once
they hit the auth page too many times. However, CentOS doesn't have
hashlimit available for it, easily...
Clearly you need this:
http://netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-TARPIT
This makes me wonder if it would be useful to implement a "max concurrent
connections" throttler, or throttle on number of connections per minute.
There used to be a real good module for doing this, but it wasn't ported to
Apache 2. Might be easy enough to do in mod_python.
I'd also consider putting the log directory in /dev/shm.
Sean
--
If java had real garbage-collection, it would delete most programs
before it executed them. -- Sean Reifschneider, 2002
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the NCLUG
mailing list