[ILUG] Rate limiting apache requests per second

[Ronan Mullally]

Hi John,

On Wed, 6 Jan 2010, John P. Looney wrote:

>  IPTables has rules like 'Only allow 20 new IP connections from any given
> netblock per minute'. It can even do bursts, so you can do '100 per 5
> minutes' etc. My own server has some setup for SSH like that -
> non-whitelisted IPs get 2 ssh requests per 5 minutes, or something like
> that, to stop brute-force attacks filling up my logs.
>
>  IPTables is not going to help much if someone opens a connection and keeps
> ramming requests down it - I assume Apache closes the socket, if it's being
> abused though.

This is the situation I've got.  The connlimit module allows me to set an
absolute limit on concurrent connections, so the need to rate-limit
incoming connections from each source is reduced.  Even if I do rate
limit, it's the content of the connections that get through this filter
I'm trying to control.

Apache may or may not close the connection (I've not been around to
observe when the issue is occuring), the problem is that the reverse proxy
doesn't - it appears to ignore Apache's KeepAlive headers, keeping the
connection to the client open regardless.

> You could even put in *huge* limits initially, and monitor syslog to make
> sure that it's OK, and slowly bring them down until you get a false
> positive. Combined with whitelisting (if you have members only area, harvest
> all IPs from that), it's a nice idea.

This looks like the only option I've got - a watcher that adds a DROP rule
when it sees a particular log entry and then removes it X seconds later
(or more likely, adds a timestamp as a comment and then a garbage
collector that cleans up old rules).


-Ronan