[ILUG] Rate limiting apache requests per second
Thomas Pedoussaut
thomas at pedoussaut.com
Wed Jan 6 12:40:26 GMT 2010
Ronan Mullally wrote:
> Hi John,
>
> On Wed, 6 Jan 2010, John P. Looney wrote:
>
>
>> IPTables has rules like 'Only allow 20 new IP connections from any given
>> netblock per minute'. It can even do bursts, so you can do '100 per 5
>> minutes' etc. My own server has some setup for SSH like that -
>> non-whitelisted IPs get 2 ssh requests per 5 minutes, or something like
>> that, to stop brute-force attacks filling up my logs.
>>
>> IPTables is not going to help much if someone opens a connection and keeps
>> ramming requests down it - I assume Apache closes the socket, if it's being
>> abused though.
>>
>
> This is the situation I've got. The connlimit module allows me to set an
> absolute limit on concurrent connections, so the need to rate-limit
> incoming connections from each source is reduced. Even if I do rate
> limit, it's the content of the connections that get through this filter
> I'm trying to control.
>
You can set limits in iptables not only on packets with a state NEW, but
also on any packet. Effectively rate limiting at MTU x limit bps.
--
Thomas
More information about the ILUG
mailing list