Any method to prevent Syn Flood Attack (down the WWW ) ?

I have searched in WHT , some one mention Mod_dosevasive... but does any one has a experience on this software ?

You can donwload mod_dosevassive on the Nuclear Elephant (http://www.nuclearelephant.com/projects/dosevasive/) site, I don't have experience on this mod but this guys have the most speedy and most accurate spam detection I have see ever. (DSPAM (http://www.nuclearelephant.com/projects/dosevasive/))

ramon

Try setting SYNCOOKIES this helps alot during an SYN FLOOD

offcource that the best way is if the site thats under attack has its own ip just remove the IP from thr NIC

Originally posted by redesb
You can donwload mod_dosevassive on the Nuclear Elephant (http://www.nuclearelephant.com/projects/dosevasive/) site, I don't have experience on this mod but this guys have the most speedy and most accurate spam detection I have see ever. (DSPAM (http://www.nuclearelephant.com/projects/dosevasive/))

ramon

Can anyone tell me how to get this set up. From what I see the only possibility would be to do it under the customapache in the directadmin directories but I don't know how.

Has anyone done this?

Regards,
Onno Vrijburg

Most other apache modules you just compile the modules per the instructions usually in the tar.gz you download. Once its compiled you edit the httpd.conf file to load the module and set any configurations options you might have.

if I'll copy the file to /usr/local/directadmin/customapache/src/modules/dosevasive/mod_dosevasive.c


and I add to configure.apache_ssl

the line --add-module=src/modules/dosevasive/mod_dosevasive.c

and I do ./build apache_mod_ssl

it will del the apache_1.3.31 folder and extract from the .tar.gz

therefore deleting the file any ideas?

Thanks,
David

Found away to install it on RH9 with DA

a) backup your current httpd.conf file

b) use the following CMD to compile the mod ( it will generate a new httpd.conf file and it will add the mode lines in there )

/usr/sbin/apxs -iac mod_dosevasive.c

c) edit your httpd.conf file and add

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>

this does a pretty good job of blocking and unblocking IP's

Hope that helped you,

David

Thanks David,

This works like a charm. I am assuming that when you say edit your httpd.conf file you mean the original and not the generated one.

Kind Regards,
Onno Vrijburg

no I mean the generated one

David

Any idea why the EmailNotify and DOSSystemCommand parameters will not work? I have tried everything. The DOSSystemCommand I am using runs fine at the command prompt using an IP in substitution of %s but it won't run from apache.

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSSystemCommand '/usr/local/bin/php /usr/local/etc/blacklist.php %s'
</IfModule>

Thanks for any insight. This could be a really good addition and if I can get it to run that command it would be sweet since it will automatically add the IP of the offender to the IPF rules for any designated period of time.

BigWil

About the mailing Issue

You should edit the original mod_dosevasive.c

and look for the word mail

you will see something like /sbin/sendmail

change it to #define MAILER "/bin/mail %s"

save and recompile via the command I gave before

about the CMD there are sevral ways to make it work

try using " instad of '

I did just about everything I could on the EmailNotify and gave up. This did include changing the path to /usr/bin/mail -t %s and recompiling. Still didn't work.

That is when I started looking into the DOSSystemCommand option. I created the script from an idea I got from another board. It works perfectly from the command line. I figure the failure of both are probably the same problem. Apache isn't letting anything run that way. I even tried a simple echo to a file and that didn't work and every user should have access to echo so it isn't a simple permissions problem. Maybe a more advanced one though.

Big Wil

I have the same problem on one of my servers I've fixed it by recompiling APACHE

I am noticing this under the Apache2 configuration in the mod_dosevasive README file:

Optionally you can also add the following directives:

DOSEmailNotify you@yourdomain.com
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

But it isn't under the Apache configuration settings. Does that mean that it is only available with Apache2 or do you have the Email and Command working with regular old Apache?

I installed it with apxs -i -a -c mod_dosevasive.c so I don't see how recompiling apache would help. But I did it anyways and without making any changes and it still doesn't work. Did you install mod_dosevasive static or dynamic?

Big Wil