立即注册 登录
德国开元华人社区 开元周游 返回首页

taohui的个人空间 https://forum.kaiyuan.de/?23661 [收藏] [复制] [分享] [RSS]

日志

Denial of Service (DoS) attacks

已有 1046 次阅读30.3.2010 15:59 |个人分类:软件技术

All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create.

Often the most effective anti-DoS tool will be a firewall or other operating-system configurations. For example, most firewalls can be configured to restrict the number of simultaneous connections from any individual IP address or network, thus preventing a range of simple attacks. Of course this is no help against Distributed Denial of Service attacks (DDoS).

There are also certain Apache HTTP Server configuration settings that can help mitigate problems:

  • The TimeOut directive should be lowered on sites that are subject to DoS attacks. Setting this to as low as a few seconds may be appropriate. As TimeOut is currently used for several different operations, setting it to a low value introduces problems with long running CGI scripts.
  • The KeepAliveTimeout directive may be also lowered on sites that are subject to DoS attacks. Some sites even turn off the keepalives completely via KeepAlive, which has of course other drawbacks on performance.
  • The values of various timeout-related directives provided by other modules should be checked.
  • The directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input.
  • On operating systems that support it, make sure that you use the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
  • Tune the MaxClients directive to allow the server to handle the maximum number of simultaneous connections without running out of resources. See also the performance tuning documentation.
  • The use of a threaded mpm may allow you to handle more simultaneous connections, thereby mitigating DoS attacks. Further, the experimental event mpm uses asynchronous processing to avoid devoting a thread to each connection. At the current point of time this is work in progress and not fully implemented. Especially the event mpm is currently incompatible with mod_ssl and other input filters.
  • There are a number of third-party modules available through http://modules.apache.org/ that can restrict certain client behaviors and thereby mitigate DoS problems.

评论 (0 个评论)

facelist doodle 涂鸦板

您需要登录后才可以评论 登录 | 立即注册

站点信息

站点统计| 举报| Archiver| 手机版| 小黑屋

Powered by Discuz! X3.2 © 2001-2014 Comsenz Inc.

GMT+1, 29.3.2024 11:01

关于我们|Apps

() 开元网

返回顶部