[TYPO3-english] [ SOLVED] apache bench mark tool over flooded typo3 site

J. Bakshi joydeep at infoservices.in
Wed Jan 13 08:18:30 CET 2010


J. Bakshi wrote:
> Jan Slusarczyk wrote:
>   
>> On 12/01/10 09:08, J. Bakshi wrote:
>>     
>>> Hello list,
>>> Today I was testing my apache server with "ab" command aka apache
>>> benchmarking tool.  I have found though it is a useful tool to check
>>> apache performance ; specially if you install eAccelerator ; but in a
>>> wrong hand it is very dangerous.  It creates a huge page call and bottle
>>> neck the target apache.  During the check typo3 reports "database
>>> connection error" !!!.  I have used
>>> I have applied two possible solution which prevents the ab successfully
>>> 1] at .htaccess
>>> 2]  Directly in apache through httpd.conf
>>>
>>> Please inform if there is any other/better technique.
>>>       
>> Hi,
>> it all depends on what you want to achieve. ab is a tool to generate
>> multiple connections for a specific server to test it's performance.
>> Basically it acts like many browsers trying to open a specific url. It
>> resembles a DOS attack.
>> As for protecting against it - if you only want to prevent people
>> using ab from overloading your stuff - what you did is enough. But if
>> you want to prevent a more general attack, then you should protect
>> yourself from DDOS rather and not rely on client identification
>> string. And that's no easy task.
>> If your goal is to increase the number of people that can successfully
>> open your website, then you need to look deeper into typo3
>> performance. Start with webserver (nginx?) and mysql optimizations and
>> look into coa_go, evo_nginx_boost, 4.3 caching framework etc. The
>> problem is that there's always a ceiling. No matter what you do,
>> there's always a maximum number of users you can send your content to
>> in a specified time.
>> Seems like you're on a start of an interesting journey, aren't you?
>>
>> Cheers
>> Jan
>>
>>     
>
> Hello,
>
> Yes, Just blocking the header agent with its signature is not a full
> proof method. It is working for now but it surely fails if signature
> change somehow. I have done some experiment and here are the outcome
> solutions.
>
> # Solution-1 ( Limiting https request per IP )
> --------------------------------------------------------------
>
> In the iptable rules modify http rule with hashlimit like
>
> `  `  `
> iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80  \
> --hashlimit 400/sec  \
> --hashlimit-mode srcip --hashlimit-name http \
> -m state --state NEW -j ACCEPT
>
> `  `  `
>
> Can anyone tell me the safe limit of http request from a single IP ? For
> now I have set it at 400/sec
>
> # Solution-2 ( All over server syn-flood protection with block bad IP )
> ---------------------------------------------------------------------------------------------
>
> In the ip table rule the following should be placed before incoming rule
> sets.
>
> `    `    `
>
> # Check hashlimit-htable-expire after 2 min ( 12000 mili second )
> iptables -N syn-flood
> iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
> iptables -A syn-flood -p tcp --syn  -m hashlimit \
> --hashlimit 250/sec --hashlimit-burst 5  --hashlimit-htable-expire 12000 \
> --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
> # Drop IP bad IP and put then in blacklist
> iptables -A syn-flood -m recent --name blacklist --set -j DROP
> iptables -A INPUT -j syn-flood
>
> `   `   `
>
> I have tested both the rules individually and both of them are capable
> to prevent ab.
> REMEMBER : #2 has blacklist protection. Use it carefully and tweak the
> black list duration as your need
>
> Cheers
>
>
>   

A correction

#2 is working well , but #1 is not doing its job properly. Need some
more research on it.




-- 
জয়দীপ বক্সী



More information about the TYPO3-english mailing list