Denial of service prevention
A denial of service attack (DoS attack) is the attempt to make a Web application unavailable to its intended users. This may be provoked by consuming resources on the nevisProxy. The following two resources shall be protected against such attacks:
- TCP connections used for server HTTP requests.
- Memory of the container session cache.
The basic DoS prevention configuration, suitable for most platforms, can be enabled within the navajo.xml configuration.
<Qos
libname="/opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1"
SrvMinDataRate="75 300 250"
SrvMaxConnClose="85%"
SetEnvIf="NAVAJO_HTTPSESS_CREATED !QSNOT QS_Block=yes"
ClientEventBlockCount="200 300"
/>
This configuration features the following prevention techniques:
- The attribute 'SrvMinDataRate' defines the minimum upload/download throughput a client must generate (the bytes sent/received by the client per seconds). This bandwidth is measured while receiving request data (request line, header fields, or body). The client connection is disconnected if the client does not fulfill this required minimal data rate. The required minimal throughput is increased in relation to the number of concurrent clients sending/receiving data. This prevents DoS attacks from "slow" clients jamming TCP connections. Recommended values are 75 bytes/sec if 250 connections are used and 300 bytes/sec if the server is busy (no free connections).
- The attribute 'SrvMaxConnClose' defines the maximum number of connections supporting keep-alive. If the number of concurrent connections exceeds this threshold, the TCP connection is disconnected after each request. The number of connections is defined as a percentage of MaxClients settings. Recommended value is 85% of the maximal available connections using keep-alive.
- The other attributes limit the number of new sessions a client IP may start during the defined time. Recommended values are 200 new sessions within five minutes (300 seconds). However, you may need to change the time depending on the HttpSession timeout setting (maxInactiveInterval) within the navajo.xml file (calculate the number of sessions a client may create and how long it takes to delete inactive sessions).
You should also define the 'MaxClientsPerIpAddr' parameter to 30 or less, seethe table: Server configuration. You can further increase DoS resistance against excessive session creation by ensuring your client accepts cookies even before creating a session. This can be achieved by setting a dedicated cookie http://opensource.adnovum.ch/mod_qos/#QS_UserTrackingCookieName just to verify the client returns this cookie before letting him access any application.
Example:
QS_UserTrackingCookieName _usrtrck /errorpages/cookie_disabled.html session
See the chapter Optional Apache modules about how to configure additional "QS_*" directives.
It's also a good idea to limit the number of concurrent requests to slow resources to prevent them from "HTTP GET/POST flood" and "repeated file download" attacks, see the chapter Limit concurrent requests"]. You may use the "qsloq -pu" http://opensource.adnovum.ch/mod_qos/qslog.1.html command to identify slow resources by processing your server's log file.**For further reading about the mod_qos module and denial of service prevention, seehttp://mod-qos.sourceforge.net/dos.html.