www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2026-01-06 09:01:14 +03:00
Code Activity

Take a stab at documenting how we respond to DoS issues.

Browse Source 
Please review!


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@369825 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joshua Slive
2006-01-17 16:01:56 +00:00
parent bc7bd9831a
commit 4f46f35697
2 changed files with 111 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docs/manual/misc/security_tips.html.en
View File

@@ -26,6 +26,7 @@
Some of the suggestions will be general, others specific to Apache.</p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#dos">Denial of Service (DoS) attacks</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li>
@@ -59,6 +60,59 @@
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="dos" id="dos">Denial of Service (DoS) attacks</a></h2>
<p>All network servers are subject to denial of service atacks
that attempt to prevent responses to clients by tying up the
resources of the server. It is not possible to prevent such
attacks entirely, but you can do certain things to mitigate the
problems that they create.</p>
<p>Often the most effective anti-DoS tools will be a firewall or
other operating-system tools. For example, most firewalls can be
configured to restrict the number of simultaneous connections from
any individual IP address or network, thus preventing a range of
simple attacks.</p>
<p>There are also certain Apache HTTP Server configuration
settings that can help mitigate problems:</p>
<ul>
<li>The <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> directive
should be lowered on sites that are subject to DoS attacks.
Setting this to as low as a few seconds may be appropriate. See
also the <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code>
directive and various timeout-related directives provided by
other modules.</li>
<li>On operating systems that support it, make sure that you use
the <code class="directive">AcceptFilter</code> directive
to offload part of the request processing to the operating
system. This is active by default in Apache httpd, but may
require reconfiguration of your kernel.</li>
<li>Tune the <code class="directive"><a href="../mod/mpm_common.html#maxclients">MaxClients</a></code> directive to allow
the server to handle the maximum number of simultaneous
connections without running out of resources. See also the <a href="perf-tuning.html">performance tuning
documentation</a>.</li>
<li>The use of a threaded <a href="../mpm.html">mpm</a> may
allow you to handle more simultaneous connections, thereby
mitigating DoS attacks. Further, the <code class="module"><a href="../mod/event.html">event</a></code> mpm
uses asynchronous processing to avoid devoting a thread to each
connection.</li>
<li>There are a number of third-party modules available through
<a href="http://modules.apache.org/">http://modules.apache.org/</a>
that can restrict certain client behaviors and thereby mitigate
DoS problems.</li>
</ul>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>

57
docs/manual/misc/security_tips.xml
View File

@@ -52,6 +52,63 @@
</section>
<section id="dos">
<title>Denial of Service (DoS) attacks</title>
<p>All network servers are subject to denial of service atacks
that attempt to prevent responses to clients by tying up the
resources of the server. It is not possible to prevent such
attacks entirely, but you can do certain things to mitigate the
problems that they create.</p>
<p>Often the most effective anti-DoS tools will be a firewall or
other operating-system tools. For example, most firewalls can be
configured to restrict the number of simultaneous connections from
any individual IP address or network, thus preventing a range of
simple attacks.</p>
<p>There are also certain Apache HTTP Server configuration
settings that can help mitigate problems:</p>
<ul>
<li>The <directive module="core">TimeOut</directive> directive
should be lowered on sites that are subject to DoS attacks.
Setting this to as low as a few seconds may be appropriate. See
also the <directive module="core">KeepAliveTimeout</directive>
directive and various timeout-related directives provided by
other modules.</li>
<li>On operating systems that support it, make sure that you use
the <directive mdoule="core">AcceptFilter</directive> directive
to offload part of the request processing to the operating
system. This is active by default in Apache httpd, but may
require reconfiguration of your kernel.</li>
<li>Tune the <directive
module="mpm_common">MaxClients</directive> directive to allow
the server to handle the maximum number of simultaneous
connections without running out of resources. See also the <a
href="perf-tuning.html">performance tuning
documentation</a>.</li>
<li>The use of a threaded <a href="../mpm.html">mpm</a> may
allow you to handle more simultaneous connections, thereby
mitigating DoS attacks. Further, the <module>event</module> mpm
uses asynchronous processing to avoid devoting a thread to each
connection.</li>
<li>There are a number of third-party modules available through
<a
href="http://modules.apache.org/">http://modules.apache.org/</a>
that can restrict certain client behaviors and thereby mitigate
DoS problems.</li>
</ul>
</section>
<section id="serverroot">
<title>Permissions on ServerRoot Directories</title>