mod_qos for Apache, an awesome way to prevent DoS Attacks

Publicada pormoises Deja un comentario en mod_qos for Apache, an awesome way to prevent DoS Attacks

Mod_qos for Apache an awesome way to prevent DoS Attacks


In computer networking, the term quality of service (QoS) describes resource management rather than the quality of a service. Quality of service implements control mechanisms to provide different priority to different users, applications, and data connections. It is used to guarantee a certain level of performance to data resources. The term quality of service is often used in the field of wide area network protocols (e.g. ATM) and telephony (e.g. VoIP), but rarely in conjunction with web applications. mod_qos is a quality of service module for the Apache web server implementing control mechanisms that can provide different levels of priority to different HTTP requests.

But why do you need quality of service for a web application? Well, web servers require threads and processes to serve HTTP requests. Each TCP connection to the web server occupies one of these threads respectively processes. Sometimes a server gets too busy to serve every request due to the lack of free processes or threads. Another parameter requiring control by mod_qos is the available bandwidth: all clients communicate to the server over a network link with limited bandwidth. Overfilling the link results in network congestion and poor performance.

Example situations where web applications require QoS:

  • More resources are consumed if request processing by an application takes a long time, e.g. when request processing includes time consuming database queries.
  • Oversubscription of link capabilities due to many concurrent clients uploading or downloading data.
  • Penetration of the web server by attackers (DDoS).

mod_qos may be used to determine which requests should be served and which shouldn’t in order to avoid resource oversubscription. The module collects different attributes such as the request URL, HTTP request and response headers, the IP source address, the HTTP response code, history data (based on user session and source IP address), the number of concurrent requests to the server (total or requests having similar attributes), the number of concurrent TCP connections (total or from a single source IP), and so forth.

Counteractive measures to enforce the defined rules are: request blocking, dynamic timeout adjustment, request delay, response throttling, and dropping of TCP connections.

The current release of the mod_qos module implements control mechanisms to manage:

  • The maximum number of concurrent requests to a location/resource (URL) or virtual host.
  • Limitation of the bandwidth such as the maximum allowed number of requests per second to an URL or the maximum/minimum of downloaded kbytes per second.
  • Limits the number of request events per second (special request conditions).
  • It can also “detect” very important persons (VIP) which may access the web server without or with fewer restrictions.
  • Generic request line and header filter to deny unauthorized operations.
  • Request body data limitation and filtering (requires mod_parp).
  • Limitations on the TCP connection level, e.g., the maximum number of allowed connections from a single IP source address or dynamic keep-alive control.
  • Prefers known IP addresses when server runs out of free TCP connections.

Deja un comentario

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.