[TYPO3-english] [ SOLVED] apache bench mark tool over flooded typo3 site

Wed Jan 13 06:24:13 CET 2010

Jan Slusarczyk wrote:
> On 12/01/10 09:08, J. Bakshi wrote:
>> Hello list,
>> Today I was testing my apache server with "ab" command aka apache
>> benchmarking tool.  I have found though it is a useful tool to check
>> apache performance ; specially if you install eAccelerator ; but in a
>> wrong hand it is very dangerous.  It creates a huge page call and bottle
>> neck the target apache.  During the check typo3 reports "database
>> connection error" !!!.  I have used
>> I have applied two possible solution which prevents the ab successfully
>> 1] at .htaccess
>> 2]  Directly in apache through httpd.conf
>>
>> Please inform if there is any other/better technique.
>
> Hi,
> it all depends on what you want to achieve. ab is a tool to generate
> multiple connections for a specific server to test it's performance.
> Basically it acts like many browsers trying to open a specific url. It
> resembles a DOS attack.
> As for protecting against it - if you only want to prevent people
> using ab from overloading your stuff - what you did is enough. But if
> you want to prevent a more general attack, then you should protect
> yourself from DDOS rather and not rely on client identification
> string. And that's no easy task.
> If your goal is to increase the number of people that can successfully
> open your website, then you need to look deeper into typo3
> performance. Start with webserver (nginx?) and mysql optimizations and
> look into coa_go, evo_nginx_boost, 4.3 caching framework etc. The
> problem is that there's always a ceiling. No matter what you do,
> there's always a maximum number of users you can send your content to
> in a specified time.
> Seems like you're on a start of an interesting journey, aren't you?
>
> Cheers
> Jan
>

Hello,

Yes, Just blocking the header agent with its signature is not a full
proof method. It is working for now but it surely fails if signature
change somehow. I have done some experiment and here are the outcome
solutions.

# Solution-1 ( Limiting https request per IP )
--------------------------------------------------------------

In the iptable rules modify http rule with hashlimit like

`  `  `
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80  \
--hashlimit 400/sec  \
--hashlimit-mode srcip --hashlimit-name http \
-m state --state NEW -j ACCEPT

`  `  `

Can anyone tell me the safe limit of http request from a single IP ? For
now I have set it at 400/sec

# Solution-2 ( All over server syn-flood protection with block bad IP )
---------------------------------------------------------------------------------------------

In the ip table rule the following should be placed before incoming rule
sets.

`    `    `

# Check hashlimit-htable-expire after 2 min ( 12000 mili second )
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn  -m hashlimit \
--hashlimit 250/sec --hashlimit-burst 5  --hashlimit-htable-expire 12000 \
--hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
# Drop IP bad IP and put then in blacklist
iptables -A syn-flood -m recent --name blacklist --set -j DROP
iptables -A INPUT -j syn-flood

`   `   `

I have tested both the rules individually and both of them are capable
to prevent ab.
REMEMBER : #2 has blacklist protection. Use it carefully and tweak the
black list duration as your need

Cheers

-- 
জয়দীপ বক্সী