'Re: [OT] connection limitation'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    Re: [OT] connection limitation
From:       "Sean Davis" <seandavi () gmail ! com>
Date:       2008-05-28 19:09:48
Message-ID: 264855a00805281209i5f8c3cd4kb169068393be2e21 () mail ! gmail ! com
[Download RAW message or body]

On Wed, May 28, 2008 at 1:50 PM,  <David.Livingstone@cn.ca> wrote:
>
> I found this when I ran into a simuilar situation although I have not yet
> had a chance to try it :
>
> http://bwmod.sourceforge.net/files/mod_bw-0.7.txt
>
> Looks like you can set max connections but not by ip.

Just to finalize, I ended up using:

http://www.ivn.cl/apache#bandwidth

This allows setting connection and bandwidth limits based on IP or
across a site.  Worked like a charm (webserver load down from 20 to
2).

Sean

> "Sean Davis" <seandavi@gmail.com>
>
> 2008/05/28 11:34
>
> To
> "Fred Moyer" <fred@redhotpenguin.com>
> cc
> modperl <modperl@perl.apache.org>
> Subject
> Re: [OT] connection limitation
>
>
>
> On Wed, May 28, 2008 at 1:19 PM, Fred Moyer <fred@redhotpenguin.com> wrote:
>> Sean Davis wrote:
>>>
>>> This is decidedly off-topic....
>>>
>>> We run a pretty small website (multi-use) on Apache (2.2) and mod_perl
>>> (along with some php, cgi, and static content).  Unfortunately, our
>>> organization has recently decided to institute the policy of scanning
>>> the site on a regular basis for security reasons.  The scan software
>>> crawls all links and URLs on the site, hitting each one with multiple
>>> forms of attack.  In some parts of the world, this is called a
>>> denial-of-service attack, but here it is called a security scan.  I
>>> have no control over the scan parameters, so I am looking for a
>>> meaningful way of limiting the number of connections (not really
>>> bandwidth, since we host VERY large static files) from a single IP.
>>> Any suggestions?
>>
>> You could do this with mod_perl by using something like Apache::Scoreboard
>> -
>> http://search.cpan.org/dist/Apache-Scoreboard
>>
>> Check to see if the number of server side children are maxed out for a
>> given
>> ip, and return a 503 if that is the case.
>
> This sounds like a viable option, yes.  It also allows lots of
> flexibility....
>
>> But if you are running Linux an alternative way to do this might be with
>> iptables and the iplimit module -
>> http://linuxgazette.net/108/odonovan.html
>
> I'm on macos, currently.
>
> Thanks.
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic