Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working

Jimmy Snell jzsnell at gmail.com
Thu Jul 17 13:00:12 UTC 2008 

Hi,

Thank you for your replies, Mumia and  Markus.

Yes, I have tested today and found that while the attacking IP get  a
"HTTP 503" error, another IP can visit my site normally. This  is just
how mod_limitipconn is working.

Before this, I thought the limitipconn module would totally prevent
the DoS attacker from connecting to TCP 80 port.

BTW, I am not sure how Apache and its DSOs work internally. But I
wonder whether there is a way to achieve the result I expected (refuse
new HTTP connections from the the attacker's IP)? If it
cannot done inside Apache or its DSOs, maybe it can be done by adding
a rule to the system iptables?


> Message: 5
> Date: Wed, 16 Jul 2008 06:45:19 -0500
> From: "Mumia W." <paduille.4062.mumia.w+nospam at earthlink.net>
> Subject: Re: Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working?
> To: "Ubuntu user technical support,     not for general discussions"
>        <ubuntu-users at lists.ubuntu.com>
> Message-ID: <487DDF4F.2000408 at earthlink.net>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> Perhaps it is working. Maybe 999,997 of those connections received HTTP
> 503 errors. AFAIK, the returning of an error page doesn't break the
> TCP/IP connection. You could configure Apache to immediately close
> connections after the first request, but that might negatively affect
> performance for people who are not going above the connection limit.
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 16 Jul 2008 14:33:19 +0200
> From: Markus Sch?nhaber <ubuntu-users at list-post.mks-mail.de>
> Subject: Re: Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working?
> To: ubuntu-users at lists.ubuntu.com
> Message-ID: <487DEA8F.1050200 at list-post.mks-mail.de>
> Content-Type: text/plain; charset=UTF-8
>

> Although probably not really a problem: why don't you use the
> configuration layout the package uses? I. e. create
> /etc/apache2/mods-available/limitipconn.load
> /etc/apache2/mods-available/limitipconn.conf
> and create symlinks in
> /etc/apache2/mods-enabled
> to actually activate the module.

Yes, I have already changed to this style.

>> However, then I tried to test whether this module was working.
>> I used the "ab" command to test from my machine:
>>   ab -n 1000000 -c 100 http://www.myhost.com
>
> Are you the owner of www.myhost.com? If not, please use a domain name
> like "example.com" which is reserved for use in documentation.

I am sorry. I will mention it as example.com in the future. Thank you.

>
> As Mumia already said, this doesn't necessarily mean that the module
> isn't working. mod_limitipconn doesn't make HTTP connections to your
> server impossible (if over the limit) but makes sure that those
> excessive connections are only used to return an error page - which is,
> of course, done using an HTTP connection.
>
> You should rather take a look at your server's log files. AFAIU
> mod_limitipconn will log rejected (i. e. answered with an error message)
> connection attempts.
>
> Additionally, you could use
> apache2ctl -M
> to see if mod_limitipconn and mod_status are indeed loaded by the server
> and the config syntax is OK.

There is limitipconn module.

Yes, it is working. Thank you for your help! :-)

--
Yours Truly,
James Z. Snell

More information about the ubuntu-users mailing list