Comments on: Mitigate Attacks With mod_evasive http://www.linux-mag.com/id/3389/ Open Source, Open Standards Mon, 07 Jul 2008 15:11:59 +0000 http://wordpress.org/?v=2.0.11 by: Jeremy Garcia http://www.linux-mag.com/id/3389/#comment-105 Thu, 07 Jun 2007 20:48:27 +0000 http://www.linux-mag.com/id/3389/#comment-105 Ryan, Thanks for the info! Michael, The GPL is only triggered on distribution, so I'm not sure where you draw the "small business" implications from. Thanks for the feedback, --jeremy http://jeremy.linuxquestions.org/ Ryan,
Thanks for the info!

Michael,
The GPL is only triggered on distribution, so I’m not sure where you draw the “small business” implications from.

Thanks for the feedback,
–jeremy
http://jeremy.linuxquestions.org/

]]> by: Michael Dean http://www.linux-mag.com/id/3389/#comment-48 Thu, 31 May 2007 20:10:24 +0000 http://www.linux-mag.com/id/3389/#comment-48 for me as a small businessperson, i would not select a GPL module for an Apache licensed piece of software. To me this smacks of programming imperialism by the programmer. Why not keep Apache "pure" Apache license? One of the reasons software like all of the Apache Foundation stuff, and such quality databases as postgresql work so well and persist over the decade is because of the lesser restrictive licenses. At the kernel level perhaps, since my small company doesn't intend to re-write and improve the kernel, I believe the GPL may be less viral, but now it is possible to create (the kernel and filing systems being the only exceptions, a completly non-gpl distro! This model is much more fruitful for small businesses. for me as a small businessperson, i would not select a GPL module for an Apache licensed piece of software. To me this smacks of programming imperialism by the programmer. Why not keep Apache “pure” Apache license? One of the reasons software like all of the Apache Foundation stuff, and such quality databases as postgresql work so well and persist over the decade is because of the lesser restrictive licenses. At the kernel level perhaps, since my small company doesn’t intend to re-write and improve the kernel, I believe the GPL may be less viral, but now it is possible to create (the kernel and filing systems being the only exceptions, a completly non-gpl distro! This model is much more fruitful for small businesses.

]]> by: rcbarnett http://www.linux-mag.com/id/3389/#comment-42 Thu, 31 May 2007 19:03:35 +0000 http://www.linux-mag.com/id/3389/#comment-42 Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good… It is for this reason that Ivan Ristic (ModSecurity creator) created the script called httpd-guardian. It essentially monitors the Apache access_log data through piped logging and therefore can see requests across all child processes. Here is a good article that Ivan wrote on the subject for Oreilly OnLamp - http://www.onlamp.com/pub/a/apache/2005/12/01/modsecurity.html?page=last. For more information, check out Ivan's site at - http://www.apachesecurity.net -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good…

It is for this reason that Ivan Ristic (ModSecurity creator) created the script called httpd-guardian. It essentially monitors the Apache access_log data through piped logging and therefore can see requests across all child processes. Here is a good article that Ivan wrote on the subject for Oreilly OnLamp - http://www.onlamp.com/pub/a/apache/2005/12/01/modsecurity.html?page=last. For more information, check out Ivan’s site at - http://www.apachesecurity.net


Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

]]> by: register hater http://www.linux-mag.com/id/3389/#comment-40 Thu, 31 May 2007 18:57:32 +0000 http://www.linux-mag.com/id/3389/#comment-40 What's DOS? Denial of Service? Why are all the configuration options prepended with that stupid TLA? What’s DOS? Denial of Service? Why are all the configuration options prepended with that stupid TLA?

]]>