page counter next up previous contents
Next: 實機操作測驗練習題 Up: Apache 2.2 HTTP Server Previous: AB test   Contents   DYWANG_HOME

防止 DoS

  1. DDoS (distributed denial-of-service) 及 DoS (denial-of-service) 在網路上十分常見,而 DoS 攻擊所傳送的請求跟正常的請求一樣,分別在於每秒鐘發出大量請求到伺服器,使伺服器的負載增加,最常見的情況是伺服器暫停服務。
  2. 從主機 dywH 經 ADSL 連線 dywang.csie.cyut.edu.tw 進行壓力測試,同時 1000 個連線做 20 次,測試結果前 50% 完成連線需要 2373ms, 100% 完成連線需要 49838ms。
    [root@dywH ~]# ab -n 1000 -c 20 http://dywang.csie.cyut.edu.tw/moodle23/index.php
    This is ApacheBench, Version 2.3 <$Revision: 655654 $>
    Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
    Licensed to The Apache Software Foundation, http://www.apache.org/
    
    Benchmarking dywang.csie.cyut.edu.tw (be patient)
    Completed 100 requests
    Completed 200 requests
    Completed 300 requests
    Completed 400 requests
    Completed 500 requests
    Completed 600 requests
    Completed 700 requests
    Completed 800 requests
    Completed 900 requests
    Completed 1000 requests
    Finished 1000 requests
    
    
    Server Software:        Apache/2.2.15
    Server Hostname:        dywang.csie.cyut.edu.tw
    Server Port:            80
    
    Document Path:          /moodle23/index.php
    Document Length:        64197 bytes
    
    Concurrency Level:      20
    Time taken for tests:   168.548 seconds
    Complete requests:      1000
    Failed requests:        996
       (Connect: 0, Receive: 0, Length: 996, Exceptions: 0)
    Write errors:           0
    Total transferred:      64891389 bytes
    HTML transferred:       64315239 bytes
    Requests per second:    5.93 [#/sec] (mean)
    Time per request:       3370.955 [ms] (mean)
    Time per request:       168.548 [ms] (mean, across all concurrent requests)
    Transfer rate:          375.98 [Kbytes/sec] received
    
    Connection Times (ms)
                  min  mean[+/-sd] median   max
    Connect:       25  355 311.4    279    3377
    Processing:   923 2991 2502.0   2001   49621
    Waiting:      239  606 432.8    476    5617
    Total:        953 3346 2517.2   2373   49838
    
    Percentage of the requests served within a certain time (ms)
      50%   2373
      66%   3470
      75%   3850
      80%   4251
      90%   5977
      95%   7851
      98%  10004
      99%  11075
     100%  49838 (longest request)
    
  3. mod_evasive 是一個預防 Apache 遭受 DDos 攻擊的模組,可以防止同一個 IP 對相同 URI 發出的大量請求,此模組已納入 DYW Linux REPO 資料庫,可以直接以 yum 指令安裝。
    [root@dywang ~]# yum install mod_evasive
    
  4. 編輯 mod_evasive 模組設定檔。
    [root@dywang ~]# vim /etc/httpd/conf.d/mod_evasive.conf 
    [root@dywang ~]# grep DOS /etc/httpd/conf.d/mod_evasive.conf 
        DOSHashTableSize    3097
        DOSPageCount        2
        DOSSiteCount        50
        DOSPageInterval     1
        DOSSiteInterval     1
        DOSBlockingPeriod   10
        #DOSEmailNotify      you@yourdomain.com
        #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
        #DOSLogDir           "/var/lock/mod_evasive"
        # Multiple DOSWhitelist commands may be used in the configuration.
        #DOSWhitelist   127.0.0.1
        #DOSWhitelist   192.168.0.*
    
  5. 設定選項說明:
    1. DOSHashTableSize:佔用記憶體的大小,如果伺服器比較繁忙,這個數值要設定大一點。
    2. DOSPageCount:同一 IP 在一個時段內可以存取同一頁面的次數,超過會被禁止。
    3. DOSSiteCount:同一 IP 在一個網站內可以佔用多少個請求,超過會禁止。
    4. DOSPageInterval:DOSPageCount 內的時段設定。
    5. DOSSiteInterval: DOSSiteCount 的時間設定,以秒為單位。
    6. DOSBlockingPeriod: 當發現疑似攻擊後,使用者會收到 403 Forbidden,這是設定封鎖的時間,以秒為單位。
    7. DOSWhitelist:白名單,不做限制。
  6. 重新啟動 httpd
    [root@dywang ~]# /etc/init.d/httpd restart
    
  7. 加入 mod_evasive 模組後,從主機 dywH 經 ADSL 連線 dywang.csie.cyut.edu.tw 進行壓力測試,同時 1000 個連線做 20 次,測試結果無法完成,連線被重置。
    [root@dywH ~]# ab -n 1000 -c 20 http://dywang.csie.cyut.edu.tw/moodle23/index.php
    This is ApacheBench, Version 2.3 <$Revision: 655654 $>
    Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
    Licensed to The Apache Software Foundation, http://www.apache.org/
    
    Benchmarking dywang.csie.cyut.edu.tw (be patient)
    Completed 100 requests
    Completed 200 requests
    Completed 300 requests
    Completed 400 requests
    apr_socket_recv: Connection reset by peer (104)
    Total of 456 requests completed
    



De-Yu Wang 2020-05-19