Skip to main content.
home | support | download

Back to List Archive

Re: Preventing DOS attack (was: severe swish-e problem (1.3.2) )

From: David Norris <dave(at)not-real.webaugur.com>
Date: Wed Jun 21 2000 - 07:52:53 GMT
Bill Moseley wrote:

There are tons of things one can do to fight against DoS.  Of course,
you normally don't think of them until something drastic has happened
;-)

> I also limit two letter wildcards, and the total number of wild cards.

Sounds like a reasonable idea.

> The other thing I do to reduce a DOS attack is to limit the amount of time
> for each request, and kill off swish at the timeout.

I would hope everyone limits the runtime of user programs accessible via
HTTP.  You could set the nice level high (or otherwise restrict CPU
usage).  That would help tremendously (on Unix).  Might extend the
runtime a bit under load, though.  Also, I run an autonice script every
1 minutes to take care of runaway programs (I think there is a copy in
my Webaugur.com library if anyone's interested; I seem to remember it
being hard to find a copy at one point.)  A watchdog like that is handy
for renicing long processes and killing off dead or dangerous ones. 
Autonice also sends the owner of the process an email explaining what it
did and how to prevent further problems like that.

> not sure what good that would do against someone quickly flooding the 
> server with wildcard queries.

Hrm, I don't know that there is much you could do with that.  Perhaps
serialize (wildcard) requests from a given address.  Not much help since
it seems to be customary to use multiple addresses for attacks these
days.  Recent versions of Apache have DoS counter-measures, as well.

> Signals aren't completely portable so I don't see how a timeout feature
> like that could be built into Swish.  Polling the system time seems like a
> bad idea.

I don't know if timeout is best handled in SWISH, anyway.  I wouldn't
rule it out as an option, of course.  Maybe a wrapper tweaked to the
system it's on?

Is there no timeout feature built into PERL?  Yet another reason to use
PHP ;-)  PHP defaults to a (in-script, runtime configurable) 30 second
timeout.  When it times out, it's children (i.e. SWISH) die with it.  I
think it can trigger a user function, also.

Also, I have a sort of timer in my search script which triggers an event
if the running-time exceeds a given limit.  That can trigger an email
(or whatever you rewrite it to do).  I think in the distributed version
of the script it is used to hide the runtime (as ancient versions of PHP
don't seem to always calculate the time correctly.)

-- 
,David Norris
  Dave's Web - http://www.webaugur.com/dave/
  Dave's Weather - http://www.webaugur.com/dave/wx
  ICQ Universal Internet Number - 412039
  E-Mail - dave@webaugur.com
Received on Wed Jun 21 00:50:51 2000