Instead of describing what’s happening I’ll post a screenshot of Apache’s server-status page:
It is a Nigerian IP.
I’m having this problem for years now and I never found a viable solution except banning the attacker’s IP and waiting for the jerk to return via another one.
Here’s a bit of further explanation. The site is custom developed and that download page is only accessible if the user is logged into the site, otherwise a redirection to the login page is served. If the user’s logged it serves quite a big file. But, after serving it once, the site has sort of a RapidShare like politic, meaning that the user has to wait. So the second time it is accessed it’ll only serve an error message telling the user to wait. However it looks like the attacker somehow succeeds in opening a connection and then another one and then yet another one, until MySQL on my server chokes up and starts throwing errors.
If this kind of attack is a known one, has a name and there are known solutions on how to avoid it redirect me. Any feedback or ideas are very welcome because I’m slowly going crazy here.
There are afew approaches that you can use:
One specific tool that is setup to help in situations like this is mod_evasive:
http://www.zdziarski.com/projects/mod%5Fevasive/
You can block along the following criterion:
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second
* Making any requests while temporarily blacklisted (on a blocking list)
Another alternative would be to roll something on your own that scrapes the apache status from the command line (very easy, I’ve done it before), and then sorts by IP and URL, then you drop it,
Otherwise I think the only other ‘good’ solution is similar to the one mentioned above, to log IP activity to that page over say, 5 minutes, and then if you they cross over that threshold, have a script scrape through and drop that in the firewall. You also don’t have to block it necessary, you could do something like the following, which would prevent new connections after 30 attempts (adjust as appropriate for the correct eth device):
iptables -I INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 31 -j DROP
Check more discussion of this question.