Re: FreeBSD 4.7 protectie serioasa anti flood
Hi,
Ipoteza: acel flood contine numai/sporadic pachete (SYN) TCP spre
portul 80. Care determina cresterea proceselor Apache. Eventual si alte
servicii pe alte porturi.
O posibila solutie: HTTP accept filters. Quoting accf_http(9):
It prevents the application from receiving the connected descriptor via
accept() until either a full HTTP/1.0 or HTTP/1.1 HEAD or GET request has
been buffered by the kernel.
The utility of accf_http(9) is such that a server will not have to con-
text switch several times before performing the initial parsing of the
request. This effectively reduces the amount of required CPU utilization
to handle incoming requests by keeping active processes in preforking
servers such as Apache low and reducing the size of the filedescriptor
set that needs to be managed by interfaces such as select(), poll() or
kevent() based servers.
Exista si varianta generica accf_data(9) pentru alte servicii. Din cate
tin minte Apache-ul de la o anumita versiune suporta acest mecanism.
Hope it helps,
Ady (@rofug.ro)
On Fri, 6 Jun 2003, Malin wrote:
>
> salut,
>
> Nu pica din cauza umplerii "tevi" creste incarcarea procesorului .. undeva pe
> la 140% pica. Din pacate in timp de pace serverul are o incarcare de genu
> acesta
> last pid: 57629; load averages: 0.40, 0.50, 0.40
> up 13+02:50:29 16:16:53
> 194 processes: 2 running, 192 sleeping
> CPU states: 0.4% user, 3.1% nice, 4.3% system, 1.9% interrupt, 90.3% idle
> Mem: 77M Active, 14M Inact, 112M Wired, 13M Cache, 32M Buf, 1080K Free
> Swap: 750M Total, 182M Used, 568M Free, 24% Inuse
>
>
> procesele cele mai multe sunt httpd
>
> posibilitatile mele de download (ating aproximativ 10M/s) serverul incepe sa
> balbaie dupa un flood de minim 15 minute de flood serios (un trafic pe
> download de minim 6M/s sustinut) dupa o jumatate de ora maxim o ora incep sa
> pice programele din lipsa de spatiu memorie. Finalmete daca flodul dureaza
> mai mult de 10 ore ..
>
> problema se pare ca floodul imi creste peste masura capacitatile procesorului
> si al memorie pe care o am. Ar fi o varianta sa maresc swapul dar oare e
> indeajuns ? Un firewall bine facut nu m-ar ajuta mai mult ?
> Best Regards,
> Malin
>
> On Friday 06 June 2003 18:03, you wrote:
> > Huh... ce tip de atac mai exact ? Daca pur si simplu iti umple capacitatea
> > legaturii tale cum crezi ca cu firewall te poti proteja ? Smile poate
> > firewall la upstream provider ...
[rofug] Re: FreeBSD 4.7 protectie serioasa anti flood
[rofug] Re: FreeBSD 4.7 protectie serioasa anti flood
Prev by Date: [rofug] Re: FreeBSD 4.7 protectie serioasa anti flood
Next by Date: [rofug] apache with frontpage ext
Previous by thread: [rofug] Re: FreeBSD 4.7 protectie serioasa anti flood
Next by thread: [rofug] Re: FreeBSD 4.7 protectie serioasa anti flood
Subiect: protectie serioasa anti flood by k1NdEr 
Mier Oct 15, 2008 11:49 pm