[TYPO3-english] [ SOLVED] apache bench mark tool over flooded typo3 site
J. Bakshi
joydeep at infoservices.in
Wed Jan 13 06:24:13 CET 2010
Jan Slusarczyk wrote:
> On 12/01/10 09:08, J. Bakshi wrote:
>> Hello list,
>> Today I was testing my apache server with "ab" command aka apache
>> benchmarking tool. I have found though it is a useful tool to check
>> apache performance ; specially if you install eAccelerator ; but in a
>> wrong hand it is very dangerous. It creates a huge page call and bottle
>> neck the target apache. During the check typo3 reports "database
>> connection error" !!!. I have used
>> I have applied two possible solution which prevents the ab successfully
>> 1] at .htaccess
>> 2] Directly in apache through httpd.conf
>>
>> Please inform if there is any other/better technique.
>
> Hi,
> it all depends on what you want to achieve. ab is a tool to generate
> multiple connections for a specific server to test it's performance.
> Basically it acts like many browsers trying to open a specific url. It
> resembles a DOS attack.
> As for protecting against it - if you only want to prevent people
> using ab from overloading your stuff - what you did is enough. But if
> you want to prevent a more general attack, then you should protect
> yourself from DDOS rather and not rely on client identification
> string. And that's no easy task.
> If your goal is to increase the number of people that can successfully
> open your website, then you need to look deeper into typo3
> performance. Start with webserver (nginx?) and mysql optimizations and
> look into coa_go, evo_nginx_boost, 4.3 caching framework etc. The
> problem is that there's always a ceiling. No matter what you do,
> there's always a maximum number of users you can send your content to
> in a specified time.
> Seems like you're on a start of an interesting journey, aren't you?
>
> Cheers
> Jan
>
Hello,
Yes, Just blocking the header agent with its signature is not a full
proof method. It is working for now but it surely fails if signature
change somehow. I have done some experiment and here are the outcome
solutions.
# Solution-1 ( Limiting https request per IP )
--------------------------------------------------------------
In the iptable rules modify http rule with hashlimit like
` ` `
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \
--hashlimit 400/sec \
--hashlimit-mode srcip --hashlimit-name http \
-m state --state NEW -j ACCEPT
` ` `
Can anyone tell me the safe limit of http request from a single IP ? For
now I have set it at 400/sec
# Solution-2 ( All over server syn-flood protection with block bad IP )
---------------------------------------------------------------------------------------------
In the ip table rule the following should be placed before incoming rule
sets.
` ` `
# Check hashlimit-htable-expire after 2 min ( 12000 mili second )
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn -m hashlimit \
--hashlimit 250/sec --hashlimit-burst 5 --hashlimit-htable-expire 12000 \
--hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
# Drop IP bad IP and put then in blacklist
iptables -A syn-flood -m recent --name blacklist --set -j DROP
iptables -A INPUT -j syn-flood
` ` `
I have tested both the rules individually and both of them are capable
to prevent ab.
REMEMBER : #2 has blacklist protection. Use it carefully and tweak the
black list duration as your need
Cheers
--
জয়দীপ বক্সী
More information about the TYPO3-english
mailing list